Trust Portal - Security & Compliance

Compliance & Certifications

SOC 2 Type II

Audited by Linford & Co LLP

Push Security undergoes independent SOC 2 audits by licensed CPA firms that specialize in information security, and will continue to review and re-assess on an annual basis.

GDPR

Push Security complies with GDPR regulations as described in our privacy policy.

Cyber Essentials

Audited by IASME Consortium

Push Security assesses their security practices on an annual basis through the UK Government backed Cyber Essentials scheme. The Cyber Essentials certification provides assurance that our systems are resilient against the vast majority of common cyber attacks.

Product Security Features

Security capabilities and features built into the Push Security product that customers can use to protect their organization.

Real-time threat detection

In Place

Continuous monitoring for identity threats and anomalous behavior

Push Security detects and blocks identity attacks such as phishing, credential stuffing, and session hijacking through browser extension telemetry.

Identity attack surface management

In Place

Discovery of identites, identity vulnerabilities and SaaS inventory

Push Security discovers identities in use across all web applications, as well as authentication vulnerabilities with those identities. The platform also provices user guardrails to resolve password and MFA-related vulnerabilities.

Single Sign-On (SSO) support

In Place

Industry-standard SSO protocols for seamless authentication

We provide SAML support for all providers, and OIDC support for Google Workspace and Microsoft 365 accounts. SSO simplifies identity management and improves security posture.

Multi-factor authentication (MFA)

In Place

Time-based one-time password (TOTP) authentication

TOTP-based MFA provided via Auth0 for all user accounts. Users can protect their Push Security accounts with authenticator apps.

Role-based access control (RBAC)

In Place

Granular permissions and role management

Push Security accounts are primarily intended for security team use. The platform supports both full-access and read-only roles, allowing teams to manage permissions based on responsibilities. Team members with full-access can invite others and modify account settings.

Comprehensive audit logging

In Place

Complete audit trail of all actions and events

All user activity is logged within the platform. Audit data is retained internally and accessible to the security team, and also available externally through webhook and SIEM integrations. Extended audit logging can be enabled to track page visits by admins in the Push app.

Secure API integrations

In Place

Secure API access with authentication and rate limits

Push Security offers custom API integrations with webhook events and a full REST API. We also offer integrations with Microsoft Teams and Slack for alerts, and connections to Google Workspace, Microsoft 365, and Okta to capture identity telemetry, as well as a range of SIEM solutions to ingest detections, browser telemetry and audit log events.

Session management and controls

In Place

Secure session handling with configurable policies

Minimum password length of 12 characters. Maximum session limits enforced to prevent unauthorized access.

Data export and portability

In Place

Export your data in standard formats

Paying customers can request data exports in line with our Data Processing Agreement.

Application Security

How we develop, test, and maintain the security of the Push Security product and infrastructure.

Secure development lifecycle (SDLC)

In Place

Security integrated throughout our development process

Defined development policy with branch protection on main branches, vulnerability scanning in CI/CD pipeline, GPG-signed code commits, and peer review requirements for all production changes.

External vulnerability disclosure program

In Place

Vulnerability reporting channel available

Security issues and bug reports can be submitted to security@pushsecurity.com. All reports are reviewed and triaged immediately. We do not currently operate a formal bug bounty program.

security@pushsecurity.com

Annual penetration testing

In Place

Comprehensive third-party security assessments

Push Security maintains a requirement to perform penetration testing at least annually by qualified security professionals. Critical and high-risk vulnerabilities are tracked to remediation.

Pentest Report REPORTS

Hardnened extension deployment

In Place

Multiparty approvals, no permanent access to stores and strict publishing controls

Push Security considers supply chain risk to customers through our browser agent as a critical priority and regularly reviews and hardens processes for publishing updates to the extension.

pushsecurity.com

Browser Extension Attack Model PRODUCT SECURITY

Vulnerability scanning and management

In Place

Continuous automated vulnerability scanning

Web application vulnerability scans performed at least quarterly on all external-facing systems. Vulnerabilities are tracked to remediation. Critical vulnerabilities receive immediate attention and are remdiated as soon as possible. Package monitoring performed against the software development platform.

Static and dynamic code analysis

In Place

Automated security testing in CI/CD pipeline

Vulnerability scanning integrated as part of the CI/CD build pipeline. Automated tests and quality assurance performed before merging code to production.

Dependency and supply chain security

In Place

Automated dependency scanning and updates

Package monitoring tools continuously scan for vulnerabilities in dependencies. Issues are reviewed and remediated as necessary.

OWASP Top 10 protection

In Place

Protection against common web application vulnerabilities

Security controls and development practices designed to protect against injection attacks, broken authentication, XSS, CSRF, and other common web vulnerabilities.

Security code review

In Place

Peer review required for all code changes

All code changes undergo peer review and approval by at least one authorized developer (other than the initial author) before deployment to production. Code commits must be GPG signed using hardware-backed tokens.

Modern security frameworks

In Place

Built with secure-by-default and well-maintained frameworks

Push Security is developed using modern, security-hardened frameworks such as React and Node.js, following OWASP secure coding guidelines. Frameworks are regularly updated to incorporate security patches. The backend and APIs leverage AWS managed services that inherit ISO 27001 and SOC 2 controls. Secure defaults such as automatic output escaping, CSRF protection, and strict Content Security Policies reduce common web application risks.

Security headers

In Place

Restrictive security headers on all responses

Industry-standard security headers implemented including Content Security Policy, HSTS, and other protections against common web attacks.

HTTPS-only

In Place

All traffic encrypted in transit

TLS 1.2+ encryption for all data transfers between users and Push Security systems.

Data Security & Privacy

How we protect, process, and manage customer data in our systems and infrastructure.

Data encryption at rest

In Place

All data encrypted using industry-standard encryption

All Push Security product data uses AWS-managed storage services with AES-256 encryption enabled, including S3 buckets, databases, and backups. Secrets managed using AWS Key Management Service.

aws.amazon.com

Data encryption in transit

In Place

TLS for all network communications

All communications between Push Security services, external providers, and employees are performed over secure encrypted channels using TLS 1.2+ and industry-standard encryption.

Data residency and location controls

In Place

EU data storage with documented locations

Production data stored in eu-west-1 (Dublin, Ireland). Backup data stored in eu-west-3 (Paris, France). Select data is replicated into Google Cloud Platform in europe-west1 (Belgium) for analytical purposes.

Data retention and deletion policies

In Place

Clear retention periods and secure deletion procedures

Data backed up at least every 24 hours across multiple AWS availability zones. Push Security relies on AWS data destruction and decommissioning techniques per NIST 800-88.

aws.amazon.com

Data inventory and classification

In Place

Documented inventory of sensitive data types

Push Security ingests names, email addresses, browser attack detection details (URLs and optionally screenshots), identity vulnerabilities (MFA & password issues), login telemetry, browser profile metadata including installed browser extensions, discovered OAuth integrations and email forwarding rules.

Data flow documentation

In Place

Current data flow diagrams for sensitive data

Push Security maintains platform documentation including data flow diagrams showing relationships between system components.

Data minimization practices

In Place

Collection limited to necessary data only

Push Security only collects data necessary for providing identity security services. Password values are never collected or stored, only password strength metrics.

Customer data isolation

In Place

Logical isolation in multi-tenant architecture

Tenant separation with logical data partitioning measures implemented to prevent unauthorized access to data across clients.

Personal data processing safeguards

In Place

GDPR-compliant data processing controls

A Data Processing Agreement and privacy policy is published on the Push website. Data Subject Access Requests handled at privacy@pushsecurity.com.

pushsecurity.com pushsecurity.com

Backup and disaster recovery

In Place

Regular backups with tested recovery procedures

Data backed up at least every 24 hours across multiple AWS availability zones. Recovery procedures tested monthly. RPO: 24 hours, RTO: 24 hours.

Infrastructure & Cloud Security

Security controls for our infrastructure, networks, and cloud environments.

Cloud security posture

In Place

AWS infrastructure with inherited compliance

Push Security operates a 100% serverless stack with all services managed by AWS. Leverages AWS compliance certifications including SOC 2 and ISO 27001. Service control policies and in place and AWS ControlTower guardrails monitor for deviations.

aws.amazon.com

Infrastructure as Code (IaC)

In Place

All infrastructure defined in code

All AWS infrastructure defined in code and deployed through automated CI/CD pipelines. Infrastructure code requires GPG-signed commits and security code review before deployment.

Network segmentation

In Place

Isolated network environments

Separate public and private VPCs within AWS for logical access separation. VPC security group rules configured to block unauthorized traffic.

Web Application Firewall (WAF)

In Place

Protection against common web attacks

All Push Security application endpoints deployed via AWS CloudFront which includes DDoS protection via AWS Shield service.

DDoS protection

In Place

Automatic DDoS mitigation

AWS Shield protection enabled on all CloudFront distributions protecting against volumetric DDoS attacks.

Secrets management

In Place

Secure storage and rotation of credentials

All secrets managed using AWS Key Management Service with encryption and access controls.

Security monitoring and alerting

In Place

Continuous monitoring of infrastructure

AWS GuardDuty rules detect deviations from expected configurations. Logs stored in dedicated auditing and logging AWS accounts. Unusual or non-compliant events generate alerts for the security team via SIEM.

Privileged access management

In Place

Strict controls on administrative access

Administrative access to production infrastructure and software development platform requires hardware backed FIDO MFA. Administrative access extremely limited with no manual changes to production - all changes deployed through automated IaC CI/CD processes. Access to production accounts logged and alerted on use.

Least privilege access

In Place

Minimal necessary permissions

Access restricted on an as-needed basis with role-based access control. Temporary additional permissions require manager approval and are documented.

Zero trust architecture

In Place

Verify every access request

Context-Aware Access features ensure only approved and managed company endpoints can access company data.

Change management

In Place

Controlled deployment processes

Separate development, staging, and production accounts. All changes tracked through project management system. No production data used in test environments. Changes require peer review and approval before production deployment.

Logging and monitoring

In Place

Comprehensive audit trail

All access to databases and buckets where customer data resides logged in dedicated AWS accounts. Security and engineering teams use log monitoring tools to identify and evaluate security threats including unusual login attempts, failed actions, and availability issues.

Vulnerability management

In Place

Regular scanning and remediation

Web application vulnerability scans at least quarterly. All AWS services are serverless and managed by AWS, requiring no patching or upgrading of operating systems by Push Security.

Compliance monitoring

In Place

Automated compliance checks

AWS ControlTower guardrails ensure configuration compliance for services and resources. Deviations generate alerts for security team review.

Employee Security

Security practices, training, and controls for our workforce.

Background checks

In Place

Pre-employment screening for all staff

All employees and contractors undergo background checks as part of the onboarding process, including criminal records search, global watchlist check, and identity verification.

Security awareness training

In Place

Regular security training for all employees

Security awareness training provided at onboarding through direct training from the security team. At least annual security awareness training required for all personnel.

Security self-assessment

In Place

Regular security control evaluations

Push Security team has decades of red-teaming and cyber defense experience. We regularly perform internal assessments on infrastructure, policies, IAM, and deployment configurations - at least every 3 months.

Clean desk/clear screen policy

In Place

Physical security best practices

Push Security operates paperless, fully remote. All company devices enforce screen locks after inactivity, require strong authentication, and use full-disk encryption.

Acceptable use policy

In Place

IT resource usage guidelines

Acceptable use policy included in the Information Security Policy document and is covered in regular training.

Code of conduct

In Place

Employee ethics and conduct standards

Push Security requires employees to acknowledge ethics and acceptable behavior policy during onboarding. Code includes core values, confidentiality, zero tolerance for harassment or discrimination, and local regulations.

Remote work security

In Place

Security requirements for remote workers

As a fully remote company, all employee endpoints managed and secured consistent with work-from-home threat model. Context-Aware Access via Google Workspace ensures only approved managed endpoints access company data.

Employee offboarding

In Place

Immediate access revocation procedures

System access revoked prior to or at time of separation. Automated deprovisioning and equipment return procedures in place.

Endpoint & Device Security

Security controls for employee devices and endpoints accessing our systems.

Endpoint Detection and Response (EDR)

In Place

Advanced endpoint threat detection

Push Security deploys EDR software to all devices to detect and respond to endpoint attacks.

Application allowlisting

In Place

Control which applications can execute on endpoints

Push Security uses Santa for application allowlisting on macOS devices to ensure only approved applications can run.

Mobile Device Management (MDM)

In Place

Centralized device management

MDM solution used to deploy security policies and manage all devices accessing company resources. Policies include password requirements, screen lock, jailbreak detection, and failed login lockouts.

Full disk encryption

In Place

Encryption required on all devices

Employee devices have disk encryption enabled and enforced via MDM policies. Compliance is continually monitored to ensure non-compliant devices do not have access to company resources.

Automated patch management

In Place

Timely OS and application updates

Automatic software patching enabled on all endpoints. Operating systems kept current with latest security updates.

Device inventory

In Place

Complete tracking of all devices

Push Security maintains an inventory of all assets via AWS Config and device management platforms.

USB and removable media controls

In Place

Restricted use of external storage

Push Security prohibits the use of removable media to store data.

Screen lock policies

In Place

Automatic screen locking

Screen lock enforced across all devices via MDM with automatic timeout.

Remote wipe capability

In Place

Lost/stolen device protection

Prior to decommissioning or repurposing a workstation, devices are wiped with activity logged. MDM provides remote wipe capabilities for lost or stolen devices.

BYOD security

In Place

Bring your own device program

Push Security permits BYOD for mobile devices when enrolled in the company MDM and comply with required security policies (e.g., screen lock, encryption, OS version, not jailbroken). Non-compliant devices are blocked from accessing corporate resources.

Identity & Access Management

Controls for managing user identities, authentication, and authorization across our systems.

Multi-factor authentication (MFA)

In Place

MFA required for all system access

Push Security enforces strong password policies and MFA for all employees. Hardware devices (Yubikeys and Mac Touch ID) used whenever possible with TOTP as alernative when FIDO is not supported. Password and MFA controls enforced through Google Workspace and monitored across all SaaS apps using Push platform.

Password policies

In Place

Strong password requirements

Passwords required to be at least 14 characters in length. Employees required to use password managers for password generation and storage. Infrastructure access requires minimum 16 character passwords.

Single Sign-On (SSO)

In Place

Centralized authentication

Push Security deploys SAML-based SSO where possible and uses Google OIDC logins where SAML is not available.

Privileged access reviews

In Place

Regular review of elevated permissions

User access reviews are conducted at least quarterly with input from appropriate stakeholders. Access changes documented and approved by managers.

Just-in-time access

In Place

Temporary elevated permissions

Requests for temporary additional permissions must be documented and approved by managers.

Access provisioning

In Place

Controlled onboarding process

User access to in-scope system components based on job role and function. Access requests documented and require manager approval before provisioning.

Access deprovisioning

In Place

Immediate revocation upon termination

System access revoked prior to or at time of separation. Automated processes ensure timely deprovisioning.

Access reviews

In Place

Periodic validation of access rights

User access reviews are conducted at least quarterly. Access changes documented and approved by managers. Push Security platform provides real-time awareness of SaaS platform usage and access rights.

Incident Response & Management

How we prepare for, detect, respond to, and recover from security incidents.

Incident response plan

In Place

Documented procedures for handling security incidents

Push Security has a documented incident response plan (IRP) establishing procedures for information security incidents, including escalation, roles/responsibilities, incident classification, response procedures, and lessons-learned analysis.

Incident response testing

In Place

Regular testing and updates of IR procedures

IRP tested and updated at least annually based on incident outcomes and lessons learned. Tests ensure processes remain current for environments and teams.

Security incident tracking

In Place

Documentation of all security events

Push Security maintains records of security incidents defining root cause and providing information to prevent recurrence. Records include incident description, facts, mitigations, risk assessment, and outcomes.

Incident communication procedures

In Place

Clear escalation and notification paths

IRP includes roles, responsibilities, and communication strategies in the event of compromise. Push Security has provided information to clients and employees on how to report failures, incidents, or concerns.

Data breach notification

In Place

Timely notification of affected parties

In the event of a data breach, Push Security will notify all impacted parties, regulators, and supervising authorities without undue delay and in accordance with obligations under applicable data protection laws.

Post-incident review

In Place

Lessons learned and process improvements

IRP includes lessons-learned analysis to determine root cause and implement incident response enhancements. When security incidents occur, Push Security follows IRP including documenting security incident through remediation.

Incident response team

In Place

Designated personnel for security incidents

IRP designates Incident Response Team with defined roles and responsibilities for responding to security incidents.

Security event monitoring

In Place

Continuous detection of potential incidents

Engineering team uses log monitoring tools to identify and evaluate security threats including unusual login attempts, failed actions, and availability issues. Internal security teams monitor SIEM for Browser Detection and Response, EDR, App-allowlisting, and Cloud security events.

Compliance & Certifications

Third-party audits, certifications, and compliance frameworks we adhere to.

SOC 2 Type II

In Place

Annual SOC 2 examination

Push Security undergoes annual SOC 2 Type II audits. Current report covers period March 1, 2024 to February 28, 2025 with unqualified opinion. Report available under NDA.

SOC 2 Report REPORTS SOC 2 COMPLIANCE

GDPR compliance

In Place

EU data protection regulation compliance

Data Processing Agreement available. Privacy policy published. Data Subject Access Requests handled. DPIA guidance and templates available. DPO contactable at privacy@pushsecurity.com.

pushsecurity.com pushsecurity.com

Data Processing Agreement (DPA)

In Place

GDPR-compliant data processing terms

Push Security offers a DPA available online covering data processing obligations, security measures, and data subject rights.

pushsecurity.com

GDPR COMPLIANCE Data Processing Agreement LEGAL

Privacy Policy

In Place

Transparent data handling practices

Comprehensive privacy policy describing data collection, processing, storage, and subject rights.

pushsecurity.com

Terms of Service

In Place

Clear service terms and commitments

Master Services Agreement and Terms of Service available online defining service commitments, limitations, and customer responsibilities.

pushsecurity.com

Cookie Policy

In Place

Transparent cookie usage disclosure

Cookie policy available describing how Push Security uses cookies and similar technologies.

pushsecurity.com

Subprocessor disclosure

In Place

List of third-party data processors

Published and maintained list of subprocessors with 30-day change notification.

pushsecurity.com

Cyber insurance

In Place

Financial protection against cyber incidents

Push Security maintains cybersecurity insurance policy providing coverage for security incidents to mitigate financial impact of business disruptions.

Cyber Insurance LEGAL

Service Level Agreement (SLA)

In Place

Uptime and availability commitments

99.9% uptime SLA per annum for Push Security services.

pushsecurity.com

Push is trusted by

Compliance & Certifications

Compliance & Certifications

SOC 2 Type II

GDPR

Cyber Essentials

Documents

Browser Extension Attack Model

Pentest Report

SOC 2 Report

Cyber Essentials

GDPR

SOC 2

Information Security Policy

Cyber Insurance

Data Processing Agreement

W-8BEN-E

W-9

Product Architecture

Security Controls

Product Security Features

Application Security

Data Security & Privacy

Infrastructure & Cloud Security

Business Continuity & Availability

Vendor & Third-Party Risk

Employee Security

Endpoint & Device Security

Identity & Access Management

Incident Response & Management

Compliance & Certifications

Product Security Features

Real-time threat detection

Identity attack surface management

Single Sign-On (SSO) support

Multi-factor authentication (MFA)

Role-based access control (RBAC)

Comprehensive audit logging

Secure API integrations

Session management and controls

Data export and portability

Application Security

Secure development lifecycle (SDLC)

External vulnerability disclosure program

Annual penetration testing

Hardnened extension deployment

Vulnerability scanning and management

Static and dynamic code analysis

Dependency and supply chain security

OWASP Top 10 protection

Security code review

Modern security frameworks

Security headers

HTTPS-only

Data Security & Privacy

Data encryption at rest

Data encryption in transit

Data residency and location controls

Data retention and deletion policies

Data inventory and classification

Data flow documentation

Data minimization practices

Customer data isolation

Personal data processing safeguards

Backup and disaster recovery

Infrastructure & Cloud Security

Cloud security posture

Infrastructure as Code (IaC)

Network segmentation

Web Application Firewall (WAF)

DDoS protection

Secrets management

Security monitoring and alerting

Privileged access management

Least privilege access

Zero trust architecture

Change management

Logging and monitoring

Vulnerability management

Compliance monitoring