Trust and Security FAQ

Data security and privacy are serious concerns to PubNub, and we know they’re also important to our customers. Although we can’t tell you everything about our data security and privacy practices or disclose the specifics (that, in and of itself, wouldn’t be secure), we do want to address some of the most common questions we receive.

Briefly describe the service you are providing:

PubNub is a developer platform that enables software teams to build apps that deliver real-time communication and collaboration. Our customers use our platform to deliver chat and other multi-user experiences in solutions that run on embedded devices, mobile devices, desktop applications, and web browsers.

Where is our data stored?

PubNub processes Customer's data and settings through a major Cloud service provider. Any backups of Customer data where Customer opts into storage and playback service are also processed within our Cloud service provider.

What type of data is collected and stored?

The customer defines what data is transmitted over the PubNub network. PubNub, as a Data Processor, acts as a network data transport, and PubNub does not know what data is passed through its networks unless it is informed by its customer. In the Data Processing Addendum (DPA), PubNub relies on its customers to specify the data types being collected, including PII.

Who has access to my data?

Subcontractors have no direct access to customer data. Access is limited to PubNub staff on a least privilege basis, so that only the required staff have access.

Is data segmented and separated?

Customer data is isolated in one or both ways. Physically residing within separate hardware servers and | or logically within separate VPS. Data is isolated and distinct from other tenants where applicable.

Logical separation is applied at the database layer, maintained with unique client keys.

Do you encrypt data at rest and in transit?

PubNub encrypts customer data in transit and at rest.

All customer data stored within PubNub cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ to protect it from unauthorized disclosure or modification.

Customer data stored in PubNub cloud products and services is AES-256 encrypted at rest.

How are your internal retention limits handled?

Data is retained based on requirements specified by the customer during the account setup and onboarding process. Unless storage is turned on, customer data is deleted after 90 days in the normal course of business.

Is Customer data stored in a physically or logically separate format from other clients' data?

Customer data is logically separated but not physically separated as it flows through PubNub’s Data Stream Network.

How can we get our data erased or deleted from your services? How about rectification of data?

For erasure requests: PubNub has a Delete API feature where customers may delete data.

For access requests: PubNub has a History API feature where customers may access the data published over PubNub.

For rectification requests: Customers may delete a data message then publish a new message. Customers may update contact information for billing or administrators, or remove admin contacts through the PubNub web portal which does not have a customer API.

Does PubNub sell/share data with third parties?

PubNub does not sell any personal information to third parties, and your personal data is only used in accordance with our Privacy Policy.

What coding Practices does PubNub utilize?

Our development team follows OWASP secure coding practices.

Do you have a service status page?

PubNub offers a service status page located at https://status.pubnub.com. In the event of an interruption of the service, the process for notifying customers is through the status page.

How do you ensure that your service is reliable?

PubNub employs a microservices architecture to ensure minimal impact on system health in the case of failure of one or more components. Multiple Availability Zones are used to provide further redundancy and we have alternative providers for some of the services we rely on. Select customers are provided with a 99.999% SLA, subject to terms of the SLA.

Will you share my data for the purpose of law enforcement?

PubNub will always provide the utmost importance to customer’s privacy. When we receive requests from law enforcement authorities, we review such requests to see if the applicable legal process is followed to obtain a valid and binding order. We object to overboard or otherwise inappropriate requests. Unless prohibited by law, we notify customers before disclosing customer data so that the customers can seek protection from disclosure.

Does PubNub have monitoring in place for the detection of suspected incidents?

PubNub has extensive monitoring and alerting tools that provide near real-time monitoring to on-call engineers. In the event of an incident, our Incident Response Management Plan will be initiated.

Does PubNub have a vetting process for its subprocessors?

Yes, all of PubNub’s subprocessors have undergone a rigorous Vendor Management review to assess how customer information is protected, from both privacy and security perspectives.

Can data be processed in countries outside of the U.S?

Customers may elect to have EU or APAC only data processing by contacting support@pubnub.com to turn on this feature. PubNub maintains an internal GDPR policy, which includes cooperation with supervisory authority, and also has a policy regarding government access requests. Additionally, PubNub will execute a DPA and SCCs upon request.

What Risk Management activities does PubNub complete?

PubNub performs an internal risk assessment once a year, as well as undergo SOC 2 Type 2, and ISO 27001s audit once a year via a third-party auditor. Finally, we have a third-party Pentest for our platform and public facing websites. All new software that has access to company data undergoes an internal vendor security evaluation before implementation.

Is PubNub PCI-DSS compliant?

PubNub has partnered with a payment processor (Zuora) that is certified as PCI Level 1, the most stringent level of certification available. See their security site for detailed information about their security measures. Any credit card payments paid through our billing processor are processed according to the PCI-DSS requirements. Therefore, PCI-DSS data is not stored on our service, and we are not required to be PCI-DSS certified.