Some of the largest enterprises trust Pinecone to store their data and power their critical applications. We work hard to earn and maintain that trust by treating security and reliability as a cornerstone of our company and product. We extend this to all our users and customers, regardless of size and industry.
Since its founding in 2019, Pinecone has been developed by engineers and scientists experienced in building secure and reliable systems at companies like Amazon, Yahoo, and Google. Pinecone is based in California, United States.
Data Safeguards
Pinecone runs on fully managed and secure AWS infrastructure as a multi-tenant Kubernetes cluster.
- Customer data is stored in isolated containers.
- Customer data is encrypted at rest and in transit.
- Customer data is never used for any reason other than servicing API calls.
- Pinecone only monitors operational metrics to support the operational health and performance of the system.
- Strict role based access control (RBAC) for service engineers.
Additional Safeguards for Dedicated-Cloud Deployments
Enterprise customers enjoy all the safeguard above and additional security measures
- A dedicated AWS account for complete resource isolation.
- A dedicated, single-tenant, Kubernetes cluster.
- Complete network isolation from the internet.
- AWS CloudTrail is enabled for audit logging.
- The above holds for all data including vector data and metadata.
Contact us for complete deployment options.
SOC2 Type II
Pinecone is SOC2 Type II certified. The certification is based on the COSO framework and has been audited by an external Big4 CPA firm (EY). The scope of the program includes Information Security, Availability, and Confidentiality.
GDPR
Pinecone is committed to supporting customers in their GDPR compliance efforts, and has undertaken the necessary steps to be GDPR-ready. The Website Privacy Policy, Customer Data Protection Addendum, and Product Privacy Statement detail how Pinecone collects, uses, and protects information.
Penetration Tests
Pinecone routinely undergoes third-party security reviews and remediates findings according to their criticality and prioritization. Security personnel can request executive summaries of findings by contacting info@pinecone.io.
Policies, Guidelines, and Practices for Protecting Data
Pinecone information assets and systems are classified into public and confidential, including a subset of Pinecone Confidential Information which is “Pinecone Third Party Confidential” information. This is confidential information belonging or pertaining to Pinecone customers or another corporation.
The use of these assets is subject to an Acceptable Use Policy which includes user accounts, passwords, media use, email and communication activities, and other such procedures.
Access Control is based on a policy that instructs relevant employees of the company about methods of access control management and user authorizations in the information systems of the company.
HR policies and procedures define the proper ways to address various security issues in Human Resources management, prior to employment (screening, interviewing, background checks), during employment, and at the time of termination of employment (i.e. off-boarding).
Pinecone follows Software Development Lifecycle (SDLC) best practices. Pinecone has a procedure that defines the process for change control in Pinecone’s systems and services in its production environment, relating to development, implementation, operations, and IT issues.
Employee Access Lifecycle
Pinecone addresses various security issues in Human Resources management, prior to employment, during employment, and at the termination of employment. Onboarding includes data security training and adherence to the requirements set in the Information Security Policy, Acceptable Use Policy, and Code of Conduct. The business unit owner and Pinecone IT provide the employee only with the relevant access rights, according to his or her work profile and role.
For an employee or an employee transferred to a new position, the CTO will provide the authorizations accordingly with the Role-Based Access Control Matrix after receiving a trigger from HR. Any change in an employee’s position in Pinecone or change in his or her access privileges is reported to HR and documented by HR.
Risk Assessment Process
Pinecone’s Risk Assessment process takes place on an annual basis to identify, assess, and manage risks that affect the company’s ability to achieve its objectives. The Risk Assessment process involves identifying, assessing, and minimizing risks through ongoing monitoring and risk assessment procedures that are built into the normal recurring activities and include regular management and supervisory activities. Action plans are tracked by the COO and communicated to appropriate personnel.
Incident Notification
Pinecone has an incident management policy, including effective identification, repairs, investigation, prevention, and follow-up actions. In case of a security incident, Pinecone’s incident management team will act and make decisions as necessary to appropriately respond to security incidents and breaches of personal data in accordance with the applicable laws and regulations.
The incident management team includes the CEO and COO and all relevant employees as decided by the CEO and COO. Wherever a security incident of either a physical or electronic nature is suspected or confirmed, all parties are expected to follow appropriate procedures and instructions given by the incident management team.
Monitoring
Pinecone aggregates production environment audit logs from various components such as Kubernetes, storage, and networking. Some of them are analyzed automatically (e.g. GuardDuty) while others are reviewed manually on a regular basis for signs of intrusion.
- Code Vulnerability Scanner: Pinecone performs weekly scans of its code base using a service that provides fix suggestions for any discovered vulnerabilities. Pinecone engineers promptly address any critical issues.
- External Vulnerability Scanner: Pinecone uses a service to scan production environments at least once a quarter for network vulnerabilities.
- Events Threat Detections: Pinecone’s production environment audit logs are archived and analyzed.
Questions
Contact us for more information related to Pinecone trust and security.