Security

Your architecture data is protected

pinpole enforces encryption at rest and in transit for all canvas definitions, architecture configurations, simulation history, and account credentials.

Enforced

Encryption in Transit (TLS 1.2+)

All data transmitted between your browser and pinpole is encrypted using TLS 1.2 or higher. This applies to every connection:

  • Browser to application server (HTTPS only)
  • Application server to Google Cloud Firestore
  • Application server to AWS APIs (STS, CloudFormation)
  • Application server to Stripe payment APIs
  • OAuth token exchanges with Google Identity

HSTS (HTTP Strict Transport Security) is enforced with a 1-year max-age, includeSubDomains, and preload directives to prevent protocol downgrade attacks.

AES-256

Encryption at Rest (AES-256-GCM)

Sensitive data stored by pinpole is encrypted at rest using AES-256-GCM with PBKDF2-derived keys:

  • Cloud account credentials — AWS role ARNs, external IDs
  • Deployment records — CloudFormation stack history
  • Subscription data — billing and plan information
  • Canvas & architecture data — stored in Google Cloud Firestore, which uses AES-256 encryption at rest by default
  • Simulation results — stored in Firestore with the same encryption

Each write uses a unique random IV and salt, ensuring identical payloads produce different ciphertext (semantic security).

OAuth 2.0 + PKCE

Authentication & Session Security

pinpole uses industry-standard authentication protocols:

  • Google OAuth 2.0 with PKCE — no client-side secrets, resistant to authorization code interception
  • HMAC-SHA256 signed JWTs — tamper-proof session tokens with timing-safe signature verification
  • HttpOnly, Secure, SameSite cookies — session tokens are inaccessible to JavaScript and only sent over HTTPS
  • 7-day session expiry — automatic re-authentication required
  • PKCE verifiers — 10-minute TTL, cleared after use
Headers

HTTP Security Headers

Every response from pinpole includes defense-in-depth security headers:

  • Strict-Transport-Security — enforces HTTPS with 1-year max-age and preload
  • X-Content-Type-Options: nosniff — prevents MIME-type sniffing attacks
  • X-Frame-Options: DENY — blocks clickjacking via iframe embedding
  • Referrer-Policy — strict-origin-when-cross-origin to limit referrer leakage
  • Permissions-Policy — disables camera, microphone, and geolocation APIs
  • Cross-Origin-Embedder/Opener-Policy — process isolation protections
Infrastructure

Infrastructure & Data Isolation

Layer Protection Standard
Database (Firestore) Google Cloud default encryption at rest (AES-256), TLS in transit SOC 2, ISO 27001
File storage (interim) AES-256-GCM with PBKDF2 key derivation, owner-only file permissions (0600) NIST SP 800-38D
AWS cross-account access IAM AssumeRole with external ID, least-privilege policy, CloudTrail audit AWS Well-Architected
Payment processing Stripe handles all card data; pinpole never sees or stores card numbers PCI DSS Level 1
Session tokens HMAC-SHA256 JWTs, HttpOnly + Secure + SameSite cookies, timing-safe comparison OWASP best practices
Data isolation Per-user Firestore collections; API middleware enforces authentication on all routes Tenant isolation

Questions about security?

Contact us for security assessments, compliance documentation, or to report a vulnerability.

Contact Security Team About pinpole