Battle-tested security for the most sensitive projects.
Enterprise-grade encryption, per-tenant isolation, and granular access controls for the AI era. VPC and custom on-prem deployments available on request.
Enforcing the most rigorous compliance standards for data privacy.
Access Trust CenterOur AWS infrastructure is independently audited against the SOC 2 Type II controls for security, availability, and confidentiality. Picket’s own company-wide audit is in progress.
Runs on AWS infrastructure certified to ISO 27001, the international standard for information security management systems (ISMS).
Covered by ISO 27018, the code of practice for protecting personally identifiable information (PII) processed in the public cloud.
Aligned with GDPR: access, correction, and erasure requests are honored, and we sign a Data Processing Agreement (DPA) on request.
The Trust Center holds our SOC report, pen-tests, subprocessors, and security docs. Contact us for our latest security questionnaire or a signed DPA.
Your data stays yours
Never used to train AI
Your documents, prompts, and answers never train Picket’s models or any provider’s. Providers receive content only to return your response, and retain none of it.
Isolated to your company
Every company is a separate tenant. PostgreSQL row-level security scopes each query to your organization, and your embeddings live in a dedicated vector namespace keyed to your company ID.
Stored in the US
All documents, databases, and backups are stored and processed on AWS in US regions. Nothing is replicated outside the United States.
Yours to delete or export
Delete or export any file, project, or your entire workspace at any time. When your contract ends, all of your data and backups are permanently deleted within 30 days, or immediately if you ask.
Encrypted and hardened
Encrypted end to end
AES‑256 at rest on every document, database, and backup. TLS 1.3 in transit on every connection, including service-to-service and calls to model providers.
Certified infrastructure
Production runs in isolated AWS VPCs with no public database access, behind a web application firewall, rate limiting, and least-privilege IAM roles.
Penetration tested
Independent firms penetration-test the full platform on a recurring cadence, and every finding is tracked through to remediation.
Scanned on every change
Every commit is scanned in CI for vulnerabilities, leaked secrets, and known dependency CVEs before it can reach production.
Access on your terms
Zero-trust by default
No user or service is trusted by default. Every request is authenticated, authorized against least-privilege scopes, and logged.
Single sign-on
Connect any SAML 2.0 or OIDC identity provider. MFA is enforced at your IdP, and sessions follow your directory’s policies.
Granular permissions
Grant access at the project or data-room level. Permissions are checked on every request and revocable in one click.
No access without consent
Picket staff do not access your documents. Break-glass support access requires your written approval, is time-boxed to the issue, and is fully logged.
Ownership and control
Audit trails
Every authenticated action (uploads, deletes, shares, permission and admin changes) is written to an immutable audit log your team can review and export.
Data retention controls
Configure retention windows per workspace to match your internal policies and regulatory obligations. Expired data is purged automatically.
Continuous monitoring
Application and infrastructure logs are centralized and monitored around the clock, with alerting on anomalous access patterns.
Directory provisioning
Users are provisioned and deprovisioned from your identity provider, so access ends the moment someone leaves your directory.
FAQs
Is our data ever used to train AI?
No. Your documents, prompts, and the answers Picket generates are never used to train Picket’s models or any model provider’s. Content is sent to a provider only to produce your response; under our provider agreements and API configuration it is not logged, retained, or used for training, and it is never shared with other customers.
Where is our data stored?
All of your data (documents, extracted text, embeddings, metadata, and backups) is stored and processed on AWS in US regions. Documents sit in encrypted object storage, structured data in a managed PostgreSQL database, and embeddings in a per-tenant namespace in our vector index. Nothing is replicated outside the United States. The underlying infrastructure carries SOC 2 Type II, ISO 27001, and ISO 27018 attestations.
How is our data encrypted?
Data is encrypted with AES-256 at rest across object storage, the database, and backups, and with TLS 1.3 in transit. Encryption covers every hop: your browser to our API, service-to-service inside the VPC, and from Picket to model providers. Encryption keys are managed by AWS KMS with automatic rotation.
Who at our company can access documents?
Only the users you invite, and only the projects or data rooms you grant them. Tenant isolation is enforced at the database with PostgreSQL row-level security, so one customer can never reach another customer’s data. You can change or revoke access in one click, and every access is recorded in the audit log. Picket staff work under least-privilege controls and do not access your documents; any break-glass support access requires your written approval and is logged.
Is Picket SOC 2 certified?
Picket runs entirely on AWS infrastructure that is independently audited to SOC 2 Type II, ISO 27001, and ISO 27018. Picket’s company-wide SOC 2 Type II audit is in the observation window. For the current attestation reports, our latest security questionnaire, or a signed DPA, contact security@picket.build.
What happens to our data if we leave?
You can export your full workspace at any time in standard formats. When your contract ends, all of your data, including documents, derived data (extracted text, embeddings, and metadata), and encrypted backups, is permanently deleted within 30 days. You can also contact us at any time to have every record for your organization, backups included, deleted immediately.