Security

Your business runs here.
We treat it that way.

Projects, customers, hours, and documents in one place demands real security controls — here's exactly what protects them.

Permissions, down to the project

  • Workspace roles plus per-project membership — clients and contractors see only the projects they're on
  • Granular, per-app permissions checked on every request, not just at the door
  • Apps can be enabled per project, so teams only see what they use

Bring your own AI — safely

  • The built-in assistant, API tokens, and MCP connections all act as the user who owns them — never more
  • Token scopes narrow access further; a token can hold fewer permissions than its owner
  • AI changes are proposed first and applied only after approval

Passwordless by design

  • No passwords to steal — sign-in via magic link or Google, GitHub, and Microsoft OAuth
  • Sign-in tokens stored only as one-way hashes
  • Optional two-factor authentication, with MFA secrets encrypted at rest

Encryption everywhere

  • All traffic encrypted in transit
  • Databases, files, and backups encrypted at rest with managed keys
  • API tokens shown once and stored only as hashes

Hardened and monitored

  • Production data lives on a private network with no public access
  • Strict Content-Security-Policy and security headers on the app
  • Structured audit trail for authentication events; desktop apps code-signed and notarized

SOC 2-aligned program

  • Controls documented and mapped to SOC 2 Trust Services Criteria
  • Access reviews, change management, and disaster-recovery procedures maintained

Found a vulnerability? We want to hear about it — hello@pinboard.ai. We respond to good-faith reports and credit researchers who ask.

Early access

Security questions before you commit?

Ask us anything at hello@pinboard.ai — or request access and see the controls from the inside.

Free plan available · No credit card · Free while in early access