Battle-tested security for the most sensitive projects.

Enterprise-grade encryption, per-tenant isolation, and granular access controls for the AI era. VPC and custom on-prem deployments available on request.

Enforcing the most rigorous compliance standards for data privacy.

Access Trust Center
SOC 2 Type II

Our AWS infrastructure is independently audited against the SOC 2 Type II controls for security, availability, and confidentiality. Picket’s own company-wide audit is in progress.

ISO 27001

Runs on AWS infrastructure certified to ISO 27001, the international standard for information security management systems (ISMS).

ISO 27018

Covered by ISO 27018, the code of practice for protecting personally identifiable information (PII) processed in the public cloud.

GDPR

Aligned with GDPR: access, correction, and erasure requests are honored, and we sign a Data Processing Agreement (DPA) on request.

The Trust Center holds our SOC report, pen-tests, subprocessors, and security docs. Contact us for our latest security questionnaire or a signed DPA.

Your data stays yours

Never used to train AI

Your documents, prompts, and answers never train Picket’s models or any provider’s. Providers receive content only to return your response, and retain none of it.

Isolated to your company

Every company is a separate tenant. PostgreSQL row-level security scopes each query to your organization, and your embeddings live in a dedicated vector namespace keyed to your company ID.

Stored in the US

All documents, databases, and backups are stored and processed on AWS in US regions. Nothing is replicated outside the United States.

Yours to delete or export

Delete or export any file, project, or your entire workspace at any time. When your contract ends, all of your data and backups are permanently deleted within 30 days, or immediately if you ask.

Encrypted and hardened

Encrypted end to end

AES‑256 at rest on every document, database, and backup. TLS 1.3 in transit on every connection, including service-to-service and calls to model providers.

Certified infrastructure

Production runs in isolated AWS VPCs with no public database access, behind a web application firewall, rate limiting, and least-privilege IAM roles.

Penetration tested

Independent firms penetration-test the full platform on a recurring cadence, and every finding is tracked through to remediation.

Scanned on every change

Every commit is scanned in CI for vulnerabilities, leaked secrets, and known dependency CVEs before it can reach production.

Access on your terms

Zero-trust by default

No user or service is trusted by default. Every request is authenticated, authorized against least-privilege scopes, and logged.

Single sign-on

Connect any SAML 2.0 or OIDC identity provider. MFA is enforced at your IdP, and sessions follow your directory’s policies.

Granular permissions

Grant access at the project or data-room level. Permissions are checked on every request and revocable in one click.

No access without consent

Picket staff do not access your documents. Break-glass support access requires your written approval, is time-boxed to the issue, and is fully logged.

Ownership and control

Audit trails

Every authenticated action (uploads, deletes, shares, permission and admin changes) is written to an immutable audit log your team can review and export.

Data retention controls

Configure retention windows per workspace to match your internal policies and regulatory obligations. Expired data is purged automatically.

Continuous monitoring

Application and infrastructure logs are centralized and monitored around the clock, with alerting on anomalous access patterns.

Directory provisioning

Users are provisioned and deprovisioned from your identity provider, so access ends the moment someone leaves your directory.

FAQs

Is our data ever used to train AI?

No. Your documents, prompts, and the answers Picket generates are never used to train Picket’s models or any model provider’s. Content is sent to a provider only to produce your response; under our provider agreements and API configuration it is not logged, retained, or used for training, and it is never shared with other customers.

Where is our data stored?

All of your data (documents, extracted text, embeddings, metadata, and backups) is stored and processed on AWS in US regions. Documents sit in encrypted object storage, structured data in a managed PostgreSQL database, and embeddings in a per-tenant namespace in our vector index. Nothing is replicated outside the United States. The underlying infrastructure carries SOC 2 Type II, ISO 27001, and ISO 27018 attestations.

How is our data encrypted?

Data is encrypted with AES-256 at rest across object storage, the database, and backups, and with TLS 1.3 in transit. Encryption covers every hop: your browser to our API, service-to-service inside the VPC, and from Picket to model providers. Encryption keys are managed by AWS KMS with automatic rotation.

Who at our company can access documents?

Only the users you invite, and only the projects or data rooms you grant them. Tenant isolation is enforced at the database with PostgreSQL row-level security, so one customer can never reach another customer’s data. You can change or revoke access in one click, and every access is recorded in the audit log. Picket staff work under least-privilege controls and do not access your documents; any break-glass support access requires your written approval and is logged.

Is Picket SOC 2 certified?

Picket runs entirely on AWS infrastructure that is independently audited to SOC 2 Type II, ISO 27001, and ISO 27018. Picket’s company-wide SOC 2 Type II audit is in the observation window. For the current attestation reports, our latest security questionnaire, or a signed DPA, contact security@picket.build.

What happens to our data if we leave?

You can export your full workspace at any time in standard formats. When your contract ends, all of your data, including documents, derived data (extracted text, embeddings, and metadata), and encrypted backups, is permanently deleted within 30 days. You can also contact us at any time to have every record for your organization, backups included, deleted immediately.