Security, privacy, and compliance
pmkit is built with enterprise governance at its core. Draft-only architecture, encrypted credentials, full audit trails, and transparent controls.
Security Overview
Defense in depth with encryption, access controls, and the draft-only pattern.
Encryption in Transit
All connections use TLS 1.3. API endpoints enforce HTTPS with HSTS.
Encryption at Rest
Database and object storage encrypted with AES-256. Backups encrypted with separate keys.
Credential Storage
OAuth tokens and API keys stored with envelope encryption. Encryption keys rotated quarterly.
Secret Rotation
Internal secrets rotated automatically. Connector credentials refresh via OAuth 2.0 flows.
Draft-Only Posture
Agents propose changes but never write directly. All outputs require explicit approval.
Proposal Approvals
Every Jira epic, Confluence page, or Slack message is a reviewable proposal before execution.
Access Control
RBAC, audit logging, and SSO for enterprise identity management.
Role-Based Access Control
Fine-grained RBAC with roles: Admin, PM, Eng, CS, Sales, Exec, Viewer, Guest. Each role has specific permissions.
Audit Logging
Every job run, tool call, proposal, and data access is logged with actor, timestamp, and resource IDs.
SSO Support
Teams: OIDC with Google Workspace + Microsoft Entra ID. Enterprise: SAML SSO + SCIM directory sync.
Privacy & AI Data Use
Your data is not used to train models. Enterprise customers can use their own LLM endpoints.
No Training on Your Data
We use the OpenAI API for inference. Per OpenAI's API data usage policy, data sent via the API is not used for training models. Enterprise customers can use their own LLM endpoints (Azure OpenAI, self-hosted) for additional control.
OpenAI API Data Usage PolicyData Retention
Default: 90 days for artifacts and job outputs (30-day option available). Audit logs retained for subscription duration + 90 days. Raw connector data (Slack messages, Jira issues) is cached temporarily during job execution only and not persisted.
Data Minimization
We only fetch data necessary for job execution. LLM conversation context is not persisted after job completion. Source content is cached temporarily and expired based on your retention settings.
Subprocessors
Third-party services that process customer data on our behalf.
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Application hosting | EU/US |
| PostgreSQL (managed) | Database | EU/US |
| Redis (managed) | Cache & queues | EU/US |
| Stripe | Payment processing | EU/US |
| OpenAI | LLM inference | US |
| Simple Analytics | Website analytics | EU/US |
Compliance
Current certifications and compliance initiatives.
SOC 2 Type II
We are actively working toward SOC 2 Type II certification. Contact us for our current security questionnaire responses and timeline.
ISO 27001
ISO 27001 certification is on our roadmap following SOC 2 completion.
DPA
Data Processing Agreement available on request for all customers. GDPR-compliant terms included.
Data Residency
Enterprise customers can request data residency in specific regions. Contact sales for options. Note: Not all regions available at launch.
Controls Library
How we implement key security controls.
| Control | Implementation |
|---|---|
| Access logging | ToolCallLog + AuditLog with immutable exports |
| Least privilege | Scoped OAuth tokens + RBAC per role |
| Encryption at rest | AES-256 for DB + object storage |
| Encryption in transit | TLS 1.3 enforced on all endpoints |
| Secret management | Envelope encryption + quarterly rotation |
| Draft-only writes | Proposal model for all external writes |
| Data retention | Configurable TTL per artifact type |
| Audit export | Enterprise API for SIEM integration |
Operational Security
Status Page
System status and incident communication. Status page coming soon.
status.getpmkit.comIncident Response
Security incidents: acknowledged within 4 hours, updates every 24 hours until resolution. Critical issues escalated immediately.
Vulnerability Disclosure
We take security seriously and appreciate the work of security researchers. If you discover a vulnerability, please report it via our contact form. We will acknowledge within 48 hours and work with you to address the issue. We do not pursue legal action against good-faith security research.
Security & Data Processing Pack
Available on request for procurement and security reviews.
Data Processing Agreement (DPA)
GDPR-compliant DPA with Standard Contractual Clauses for cross-border transfers.
Subprocessor List
Current list of third-party services that process customer data (see table above).
RBAC Model Documentation
Role definitions, permission matrix, and access control implementation details.
Audit Log Scope
What events are logged, retention periods, and export capabilities.
LLM Data Handling
How data flows to LLM providers, API terms, and BYO LLM options for Enterprise.
Security Questionnaire
Pre-filled responses for common security questionnaire formats (CAIQ, SIG, custom).
Questions about security?
Contact us for security questionnaire responses, DPA requests, or to discuss enterprise security requirements.