Protecting the security and privacy of our customers' data is the number one priority at PullString. This page describes our security procedures and practices. In addition, you can learn more about our policies by reviewing our Terms of Service and Privacy Policy.

Physical Security

PullString's data is processed and stored within industry-leading data centers that use state-of-the-art security measures, including:

  • 24x7 onsite professional security staff
  • Controlled physical access with multi-factor authentication
  • Intrusion detection and video surveillance systems
  • Automatic fire detection and suppression
  • Fully-redundant power systems with backup UPS units
  • Nondescript facilities to maintain low profile

Server Security

We use Amazon Web Services (AWS) to host all of our production services. PullString does not run its own physical production servers, DNS servers, auto scalers, or load balancers.

The TLS certificates for our production servers are 2048 bit RSA, signed with SHA256.

We use firewalls, security groups, and IP address whitelisting to limit access to servers and databases.

We implement Distributed Denial of Service (DDoS) mitigation by conforming to AWS resilient reference architectures through the use of AWS Shield, CloudFront, Route53, auto scaling, and load balancers.

We follow industry best practices in terms of only using strong cipher suites on our servers.

We have efficient build process automation that can deploy code fixes dozens of times a day, backed by extensive unit and liveness tests, giving us the ability to quickly react to potential security threats as necessary.

Web API Security

Our RESTful Web API can only be accessed over HTTPS to protect from eavesdropping and man-in-the-middle attacks.

All access to the PullString Web API requires an account-specific access key.

PullString runs regular liveness tests and integration tests on the Web API to ensure availability and correctness.

Customers' runtime conversational content is encrypted at rest on our servers.

Website Security

We enforce HTTPS for all pages of our websites and employ HTTP Strict Transport Security (HSTS) for additional security.

PullString's password requirements match or exceed that of most online services. We require all passwords to contain 8 or more characters and we disallow the use of commonly-used passwords.

Account sign in attempts are rate limited to counter brute force password attacks.

All passwords are stored in our databases using a secure one-way salted hash.


All customer data is stored in the USA.

We run automated data integrity checks to confirm the validity of customer data on our servers.

Service Levels

PullString provides a 99.95% Service Level Agreement (SLA) for our enterprise customers, using multiple and layered techniques to maintain reliable uptimes.


PullString's infrastructure is built on top of AWS, which provides leading standards for privacy and information security. This includes SOC2, SOC3, ISO 27001, and PCI DSS Level 1 compliance. As well as international privacy law compliance such as UK Data Protection Act and EU Privacy Shield. Learn more

Additionally, PullString complies with the EU-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal data from European Union member countries. Learn more

PullString has also gained Children's Online Privacy Protection Act (COPPA) compliance for specific kid-focused applications and infrastructure via the kidSAFE seal program, an independent FTC-approved COPPA Safe Harbor provider.

Security Team

PullString employs dedicated security and infrastructure professionals who have combined decades of experience in designing, building, and operating highly secure distributed systems.

Our security team has experience working proactively with external security researchers and companies to triage and rapidly address vulnerability reports.


Only employees with a business need to access internal services and data are granted access to those. Employees with this access are given appropriate privacy and security training.

We use a commercial password management service to store login credentials and to enforce access control to different internal services. Passwords for these internal services are programmatically generated and generally contain 20 or more randomly-selected characters.

We use industry-standard identity management systems such as Google Identity Platform to gate access to internal systems, and AWS Identity and Access Management (IAM) to define individual accounts and limit permissions across AWS resources.

All employee equipment has Mobile Device Management (MDM) software installed in order to enforce consistent security standards, such as FileVault disk encryption for all Mac equipment, location tracking, and remote wiping.

Data on employee computers is backed up continually and all backups are encrypted.

We employ virus detection on all incoming and outgoing email attachments.

Visitors to the PullString office must sign in using an online registration system.

PCI Obligations

PullString does not handle or store any credit card information. We outsource all payment processing to Stripe, a trusted Level 1 PCI Service Provider. Learn more

Contact Us

If you still have questions about PullString's security processes and procedures, or you want to report potential vulnerabilities or concerns, please contact us at