Common Privacy & Security Questions
Data security and privacy are serious concerns to PubNub, and we know they’re also important to our customers. Although we can’t tell you everything about our data security and privacy practices or disclose the specifics (that, in and of itself, wouldn’t be secure), we do want to address some of the most common questions we receive.
What service does PubNub provide?
PubNub is a developer platform that enables teams to build applications delivering real-time communication and collaboration. Customers use PubNub to power chat, live updates, and multi-user experiences across web, mobile, desktop, and embedded devices.
Where is our data stored?
PubNub processes customer data through a leading cloud service provider. All processing and optional message storage occur within that environment.
Customers can choose US-only, EU-only, or APAC-only data residency options.
What type of data is collected and stored?
Customers decide what data moves through PubNub’s network. PubNub functions solely as a data processor and transport layer and does not inspect or collect end-user data.
Under our Data Processing Addendum (DPA), customers specify the types of personal or sensitive data they transmit.
Who has access to my data?
Only authorized PubNub personnel have access, following the principle of least privilege. Access is reviewed regularly and removed immediately when roles change or employment ends. Subprocessors do not have direct access to customer data.
Are employees vetted and trained?
Yes. Employees and contractors undergo background screening before hire and must sign confidentiality and intellectual-property agreements. All staff complete mandatory security and privacy training at onboarding and annually.
Is customer data isolated from other tenants?
Yes. Customer data is logically separated within PubNub’s multi-tenant infrastructure and protected by unique keys and identifiers. Physical resources are shared but isolated at the virtual and database layers.
Do you encrypt data at rest and in transit?
Yes. All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption within our cloud environment.
How long is data retained?
Data retention is governed by customer configuration and contractual requirements. Unless message storage is explicitly enabled, data is automatically deleted in the normal course of business. For detailed information, please refer to PubNub’s Terms and Conditions and Privacy Policy.
How can we delete or correct data?
Customers can delete data via the Delete API, retrieve data with the History API, or delete and republish corrected messages. Account and billing details can be updated through the PubNub Admin Portal.
Does PubNub sell or share data with third parties?
No. PubNub does not sell or share personal information with third parties. Data is used only to deliver and support contracted services, as outlined in our Privacy Policy.
What secure-coding practices does PubNub follow?
PubNub engineers follow OWASP Top 10 secure-development standards, with peer review, automated scanning, and regular code analysis to identify and fix vulnerabilities before release.
Do you have a service-status page?
Yes. You can view current and historical uptime at status.pubnub.com. Any incidents or maintenance events are posted there in real time.
How does PubNub ensure service reliability?
PubNub’s globally distributed, microservices-based architecture provides high availability and fault tolerance. Multiple regions and availability zones ensure continuity even if a data center becomes unavailable.
Select enterprise customers receive a 99.999% SLA; all other services maintain a 99.9% uptime SLA.
How does PubNub monitor for and respond to security incidents?
PubNub employs automated monitoring and alerting to detect anomalies in near real time. Confirmed incidents follow our Incident Response Plan, which includes escalation, containment, and customer notification within required time frames (for example, 72 hours under GDPR).
Does PubNub have a vulnerability reporting or bug bounty program?
Yes. PubNub maintains a formal Bug Bounty Policy and encourages responsible disclosure of potential vulnerabilities. Security researchers may report issues to support@pubnub.com. All submissions are reviewed in accordance with PubNub’s vulnerability management process, and validated findings are remediated based on severity and impact.
How does PubNub vet subprocessors and vendors?
All subprocessors undergo security and privacy due diligence reviews before engagement and are reassessed annually. Each maintains appropriate certifications such as SOC 2 and/or ISO 27001, and all processing is governed by written agreements and DPAs.
Does PubNub comply with PCI-DSS?
Yes. PubNub’s payment processing is handled by Stripe, a PCI DSS Level 1-certified service provider. PubNub does not store, transmit, or process any payment card information within its systems.
What risk-management activities does PubNub perform?
PubNub completes formal annual risk assessments, independent SOC 2 Type II and ISO 27001 audits, and third-party penetration testing. New vendors undergo an internal security evaluation before integration.
How does PubNub handle law-enforcement or government data requests?
Requests are reviewed to ensure legal validity and scope. Unless prohibited by law, PubNub notifies customers before any disclosure so they may seek protection.
Can customer data be processed outside the U.S.?
Yes. Customers can select US-only, EU-only, or APAC-only processing. PubNub supports GDPR, Standard Contractual Clauses (SCCs), and Data Processing Addendums (DPAs) for cross-border compliance.
Is PubNub independently certified?
Yes. PubNub holds SOC 2 Type II attestation and ISO 27001:2022 certification, verified annually by accredited third-party auditors.
PubNub is also compliant with:
For more information, please visit our Security and Compliance page.
