Point11

Security

Last updated: February 18, 2026

Point11 is committed to protecting the security and privacy of our customers’ data. This page describes our security practices, infrastructure, and certifications.

Infrastructure

Hosting

Point11’s SaaS Platform is hosted on Vercel and AWS in the United States. Customer-facing Deliverables may be deployed into Customer-controlled cloud environments as specified in the applicable Order Form.

Encryption

  • Data in transit — Encrypted using TLS 1.2 or higher for all connections
  • Data at rest — Encrypted using AES-256 or equivalent

Access Controls

  • Multi-factor authentication (MFA) required for all administrative access
  • Role-based access controls (RBAC) with least-privilege principles
  • Access to production systems restricted to authorized engineering personnel
  • Access reviewed quarterly

Network Security

  • Web application firewall (WAF) protection
  • DDoS mitigation
  • Network segmentation between production and development environments

Certifications & Compliance

SOC 2 Type II

In progress — target completion Q3 2026

GDPR

Point11 processes personal data in compliance with the General Data Protection Regulation. Our Data Processing Addendum is available at point11.com/legal/dpa.

CCPA/CPRA

Point11 complies with the California Consumer Privacy Act and California Privacy Rights Act. See our Privacy Policy at point11.com/legal/privacy.

HIPAA

Contact legal@point11.com to discuss HIPAA requirements and Business Associate Agreement availability.

PCI DSS

Point11 does not directly process or store payment card data. Payment processing is handled by PCI DSS-certified sub-processors (e.g., Stripe).

Data Handling

No Training on Customer Data

Provider does not use Customer Data to train, retrain, fine-tune, or improve general-purpose AI/ML models. This includes prohibition on reinforcement learning from human feedback (RLHF), model distillation, and all indirect learning methods. See our Data Processing Addendum at point11.com/legal/dpa.

Data Location

Customer Data is stored and processed within the United States unless otherwise agreed in writing.

Data Retention

Upon termination, Customer Data is available for retrieval for 30 days, after which it is securely deleted.

Sub-Processors

A current list of sub-processors is maintained at point11.com/legal/sub-processors.

Vulnerability Management

  • Regular automated vulnerability scanning
  • Responsible disclosure program (report vulnerabilities to security@point11.com)
  • Timely patching of critical and high-severity vulnerabilities

Incident Response

  • Security incidents reported to affected customers within 72 hours
  • Post-incident review and remediation for all confirmed incidents

Employee Security

  • Security awareness training for all employees
  • Confidentiality agreements for all personnel

Business Continuity

  • Automated backups with defined RPO and RTO (see SLA)
  • Multi-region architecture for production systems

Security Questionnaires & Due Diligence

Enterprise customers may request:

  • SOC 2 Type II report (under NDA)
  • Completed SIG or CAIQ security questionnaire
  • Evidence of penetration testing
  • Insurance certificates

Contact legal@point11.com or your account representative.

Responsible Disclosure

If you discover a security vulnerability in Point11’s platform, please report it responsibly to security@point11.com. We ask that you:

  • Provide sufficient detail to reproduce the issue
  • Allow reasonable time for remediation before public disclosure
  • Do not access or modify other users' data

We appreciate the security research community’s efforts and will acknowledge valid reports.