Skip to main content

Security

Last updated: May 2026

At Pivott, security is a core value ingrained in everything we do. From the first line of code to the final product release, we prioritize the protection of your data and privacy.

Overview

Pivott maintains a formal information security program focused on protecting the information assets of our customers. Our organization adheres to best-in-class data security and privacy practices and requires all employees to undergo cybersecurity awareness training.

Pivott leverages Amazon Web Services (AWS) to store and retrieve contract data according to the industry's best practices in security, compliance, and data protection.

Compliance

SOC 2 Type I Certified. Pivott is SOC 2 Type I certified. You can review our full compliance documentation and security posture at our Trust Center: trust.pivott.io

Data Security

  • SOC 2 Type I compliant
  • Encryption in transit using TLS/SSL
  • All data at rest encrypted using AES 256-bit encryption provided by AWS
  • Encryption keys managed by AWS; Pivott can manage keys in AWS Key Vault upon request
  • Three-tier architecture for scalable, reliable, and secure infrastructure
  • VPN enforcement across all internal systems
  • Isolated development, staging, and production environments
  • Comprehensive audit logs capturing all user actions with date and time stamps

Application Security

  • All business-critical changes are pre-approved by IT senior management and subject to thorough security review from architecture through deployment and testing
  • All builds, including nightly builds, go through security scanning
  • The Pivott Platform supports integration with subscriber identity providers for user authentication using industry-standard protocols: SAML2, OAuth/OpenID, WS-Fed
  • Multi-factor authentication (MFA) is supported by default when enabled on the identity provider side
  • Software Development Life Cycle (SDLC) combines technical, security, and DevOps expertise through continuous integration and deployment (CI/CD)
  • Peer code review on all changes
  • Incident response team and communication plan in place

Infrastructure & Physical Security

  • The Pivott Platform is hosted entirely on AWS Cloud — no on-premise hosting
  • Single Sign-on (SSO) enforcement across all internal systems
  • For AWS data center compliance documentation, refer to aws.amazon.com/compliance

Third-Party Integrations

  • AWS infrastructure hosted in USA and Canada
  • Two-factor authentication (2FA) enforced on all supported platforms
  • SOC 2 compliance required for all third-party vendors and suppliers
  • Hardware and software inventory management maintained

Business Continuity & Disaster Recovery

  • 3-2-1 backup strategy in place across all systems
  • All essential data stored remotely using commercial cloud providers
  • Incident response plan with defined communication procedures

Access & Authentication

  • Single Sign-on (SSO) enforcement for all internal systems
  • Password length and complexity enforcement
  • Principle of least privilege (PoLP) applied to all access
  • Privileged access management (PAM) provides monitoring, detection, and prevention of unauthorized access to critical resources
  • User access and activity logging across all environments

Organizational Security

  • All employees working on the Pivott Platform are subject to background verification and bound by contractual confidentiality obligations
  • Employees undergo training sessions covering information security and data protection
  • IT policy reviewed on a regular cadence
  • Comprehensive insurance program maintained

Privacy

Pivott treats all data provided by customers as strictly confidential and uses data only for your benefit. We have implemented technical and organizational measures to protect your data, and offer a range of implementations to suit specific organizational processes or privacy requirements.

For full details on how we protect your privacy and data, please read our Privacy Policy.