PrivSecOps Security Overview

This document is the property of Pipefy and contains information that is proprietary, confidential or restricted from
disclosure. If you are not authorized to receive them, please return this document to the owner mentioned above. The
disclosure, distribution, reproduction or use of this document in whole or in part by any third party other than the person
for whom it is intended, without Pipefy’s prior written consent, is strictly prohibited.

Security Overview
Summary
PIPEFY DATACENTER AND NETWORK SECURITY 3
Physical security 3
Encryption and authentication 5
Availability and Continuity 6
APPLICATION SECURITY 7
Safe Development (SDLC) 7
Application vulnerabilities 7
PRODUCT SAFETY FEATURES 8
Safe Development (SDLC) 8
Additional product safety features 8
SECURITY METHODOLOGIES 9
Information Security Management System 9
Information Security Awareness 9
Employee Verification 10
ADDITIONAL CERTIFICATIONS AND DOCUMENTATION 11
REVISION HISTORY 12
ENGLISH VERSION OF THE DOCUMENT 13

Security Overview
PIPEFY DATACENTER AND NETWORK SECURITY
Physical security
NAME DETAILS
Facilities The physical infrastructure of Pipefy service providers is hosted and
managed in secure Oracle data centers and uses Oracle Cloud
Infrastructure (OCI) technology. Oracle manages risk and undergoes
recurring assessments to ensure compliance with industry standards.
Oracle’s data center operations have been accredited in:
●
ISO 27001
●
ISO 27701
●
ISO 27018
●
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (formerly SAS 70 Type II)
●
PCI Level 1
●
FISMA Moderate
●
Lei Sarbanes-Oxley (SOX)
If the customer needs to use a solution multicloud, Pipefy will analyze the
case and make other cloud providers available, with the same quality as
AWS.
Local security Pipefy uses ISO 27001 and FISMA certified data centers managed by
Oracle. OCI data centers are housed in nondescript facilities, and critical
facilities have extensive military-grade perimeter control setbacks and
berms, as well as other natural boundary protections.
Physical access is strictly controlled at both the perimeter and building
entry points by professional security personnel utilizing video
surveillance, state-of-the-art intrusion detection systems and other
electronic means. Authorized staff must undergo two-factor
authentication at least three times to access data center floors. All visitors
and contractors are required to present identification and are registered
and continuously monitored by authorized personnel.
Location Pipefy service providers’ data centers are located in the United States. If
the customer wants to request a single tenant, multiple locations across
the world are available using different cloud solutions.

Security Overview
Network security
NAME DETAILS
Security Response Team Our security response team is on call to respond to security alerts and
events and can be reached at [email protected].
Protection Infrastructure and management for all firewalls is provided by our service
provider Oracle OCI.
Firewalls are used to restrict access to external network systems and
between internal systems. By default, all access is denied and only
explicitly allowed ports and protocols are allowed based on business
needs. Each system is assigned a firewall security group based on the
system’s role. Security groups restrict access to the ports and protocols
required for a system’s specific function in order to mitigate risk.
Host-based firewalls also provide the ability to further limit inbound and
outbound connections as needed.
Vulnerability Management Our service provider-managed firewalls prevent IP, MAC, and ARP
spoofing within the network and between virtual hosts to ensure that
spoofing is not possible. Packet sniffing is prevented by the
infrastructure, including the hypervisor, which will not deliver traffic to an
interface to which it is not addressed. Our service provider utilizes
application isolation, operating system restrictions, and encrypted
connections to further ensure risk mitigation at all levels.
Port scanning is prohibited and each reported instance is investigated by
our infrastructure provider. When port scans are detected, they are
stopped and access is blocked.
Penetration Testing and Pipefy has a specialized team responsible for pentests internal and
Vulnerability Monitoring vulnerability assessments. These tests are performed at least once
quarterly.
Third-party security testing of our services may be performed by
reputable, independent security consulting firms engaged by the
customer. Potential findings from each assessment would be reviewed
with assessors, classified in terms of risk, and assigned to the
responsible team to resolve them under an SLA.
These tests will be carried out by the customer and all charges involved
are the customer’s responsibility.

Security Overview
Event and security incident response In the event of a security incident, our engineers are called upon to
collect extensive logs from critical host systems and analyze them in order
to respond to the incident in the most appropriate manner possible.
Collecting and analyzing log information is critical for troubleshooting and
investigating issues. Our service provider allows us to analyze three main
types of logs: system, application and API logs.
There may be shared responsibilities between Pipefy and our cloud
providers, and these responsibilities will be the responsibility of Pipefy’s
security team.
DDoS Mitigation Our service provider’s infrastructure provides DDoS mitigation techniques,
including TCP Syn cookies and connection rate limiting, in addition to
maintaining multiple backbone connections and internal bandwidth
capacity that exceeds the bandwidth provided by the Internet
operator. We work closely with our vendors to quickly respond to events
and activate advanced DDoS mitigation controls when necessary.
Logical Access Access to the Pipefy Production Network is restricted by an explicit need
to know. It uses least privileges, is often audited and closely controlled by
our engineering team. Employees accessing the Pipefy Production
Network are required to use multiple authentication factors.
Encryption and authentication
POLICY DETAILS
Encryption in transit All internal and external communication is done over a secure connection
with TLS 1.2 or higher.
Encryption in transit – Emails All emails are sent by Sendgrid over a secure TLS connection.
Encryption at rest and in backup Data at rest is encrypted using the AES-256 algorithm. Backup is done via
snapshot, also with AES-256 encryption.
Availability and Continuity
POLICY DETAILS
Uptime Pipefy was built with high availability in mind and our engineering team
continuously monitors to ensure its availability. Availability over the last 2
years has been 99.9% or higher, and can be viewed on our website at:
status.pipefy.com.
Redundancy Pipefy service provider clustering and network redundancies eliminate
single points of failure.
Disaster recovery Our service provider’s platform automatically restores customer applications
and databases in the event of an outage. The provider platform is designed
to deploy applications dynamically in its cloud, monitor failures and recover
failed platform components, including customer applications and databases.

Security Overview
APPLICATION SECURITY
Safe Development (SDLC)
POLICY DETAILS
Ruby on Rails framework security controls We use Ruby on Rails framework security controls to limit exposure to the
OWASP Top 10 security flaws. This includes inherent controls that reduce
our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery
(CSRF) and SQL Injection (SQLi), among others.
Quality Control Our quality control department reviews and tests our codebase. Dedicated
application engineers on the team identify, test, and triage security
vulnerabilities in the code.
Separate Environments Testing and staging environments are separate from the production
environment. No real customer data is used in development or testing
environments.
Application vulnerabilities
POLICY DETAILS
Static code analysis Our source code repositories are continuously checked for security issues
through our integrated static analysis tools.

Security Overview
PRODUCT SAFETY FEATURES
Safe Development (SDLC)
FEATURE DETAILS
Authentication options Pipefy supports login, SSO and Google authentication.
Single Sign-On (SSO) Single sign-on (SSO) allows you to authenticate users in your own systems
without requiring them to enter additional login credentials to access Pipefy.
Secure credential storage Pipefy follows secure credential storage best practices, never storing
passwords in human-readable format.
API security and authentication Pipefy’s API is SSL-only and you must be a verified user to make API
requests. You can authorize on the API using the API token.
Additional product safety features
POLICY DETAILS
Privileges and Access Roles Access to your Pipefy account data is governed by access rights and can be
configured to define access privileges. Pipefy has multiple permission levels
for organization users (member and administrator) and pipe (start form only,
member and administrator).
More details can be seen here.
Transmission Security All communications with Pipefy service providers’ servers are encrypted
using industry-standard HTTPS. This ensures that all traffic between you
and Pipefy is secure during transit.

Security Overview
SECURITY METHODOLOGIES
Information Security Management System
HIGHLIGHT DETAILS
Objectives The strategic information security objectives (ISMS strategic objectives) are
those that Pipefy intends to achieve according to a corporate information
security vision and that are aligned with the objectives mentioned in its
Corporate Strategic Plan, among which are:
●
Promote compliance with laws, standards and regulations relating to the
business in its aspects related to Information Security;
●
Continuously improve the security controls and maturity of the Pipefy
Platform to mitigate risks;
●
Increase knowledge and internal awareness about the need for
Information Security for the business.

Security Overview
Information Security Awareness
METHODOLOGY DETAILS
Policies Pipefy has developed a comprehensive set of security policies that cover a
variety of topics. These policies are shared and made available to all
employees and service providers with access to Pipefy’s information
assets.
Audit Reports are not shared externally, only the results and maturity level
of the Pipefy environment.
Training All new employees attend Security Awareness Training, just as all
employees undergo the same training once a year. Furthermore, all
employees participate in training on Data Privacy, GDPR and LGPD. All
members of the Engineering team also participate once a year (except
Security Awareness Training) in a Secure Development Training based on
OWASP TOP 10 and SANS 25. Security Awareness is also part of Pipefy’s
routine, as updates are shared among all teams via email, blog posts, and
in presentations during internal events.
Privacy measures At Pipefy we are aware of your privacy and rights and work to provide you
with the best practices and measures to keep your data safe.
We comply with the requirements of LGPD and GDPR.
And we are working tirelessly, every day, to maintain a high level of
maturity in our security measures.
You can see more information about Privacy on Pipefy at:
●
Worldwide Privacy Page: https://www.pipefy.com/privacy-policy/
●
Brazilian privacy page:
https://www.pipefy.com/pt-br/politica-de-privacidade/
For any questions and requests, please contact us via email:
[email protected].
Email from our DPO: [email protected].

Security Overview
Employee Verification
METHODOLOGY DETAILS
Background verification Pipefy conducts background checks on all new employees in accordance
with local laws. Background verification includes criminal, educational, and
employment verification.
Confidentiality Agreements All new hires are screened during the hiring process and required to sign
non-disclosure and confidentiality agreements in accordance with local laws.

Security Overview
ADDITIONAL CERTIFICATIONS AND DOCUMENTATION
CERTIFICATION DETAILS
ISO 27001 The ISO 27001 standard is the internationally recognized best practice
framework for an Information Security Management System (ISMS).
ISO 27701 ISO 27701 is the international privacy standard that provides a framework for
data privacy management. It is a data privacy extension of ISO 27001.
ISO 27018 ISO 27018 is the code of practice for protecting personally identifiable
information (PII) in cloud computing services.
SOC 1 and 2 type 2 SOC 1 and 2 are regularly updated reports that focus on controls related to
financial controls, security, availability and confidentiality of a cloud service.
Pipefy can share SOC 1 and 2 reports through a signed non-disclosure
agreement (NDA).
AWS qualified software Our AWS vendor reviews our infrastructure and application security through
the Foundational Technical Review (FTR). This process ensures that our cloud
implementation and usage has been validated by AWS for its technical
proficiency and associated customer references.
Consensus Assessments Initiative The CAIQ questionnaire provides an accepted industry way to document
Questionnaire (CAIQ) what security controls exist on cloud services. This increases security
control transparency for current and potential customers, who can then
determine whether our services are secure enough for their purposes.
The completed questionnaire can be obtained through a signed
non-disclosure agreement (NDA).
REVISION HISTORY

Security Overview
Version Data Responsible team Description
1.0 22/05/2022 PrivSecOps Document Creation
2.0 20/05/2023 PrivSecOps Annual review;
Addition of scope certifications.
3.0 17/06/2024 PrivSecOps Annual Review;
Template adjustment.
4.0 28/03/2025 PrivSecOps Annual Review.