Skip to content
Pixell
Get Started

Security Policy

Last updated: February 20, 2026

1. Introduction

Pixell Global Inc. ("Pixell," "we," "us," or "our") is committed to maintaining the security and confidentiality of all data entrusted to us by our users, partners, and third-party platforms. This Security Policy outlines our information security program, including our technical and organizational measures to protect data, respond to incidents, and ensure compliance with applicable regulations.

2. Information Security Program

Pixell maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all systems and data. Our program encompasses the following areas:

  • Governance: Security policies are reviewed and updated regularly by the Data Protection Officer
  • Risk Management: We conduct ongoing risk assessments to identify and mitigate threats to our systems and data
  • Compliance: We align our practices with industry standards and applicable legal requirements
  • Training: All personnel with access to systems or data receive security awareness training
  • Continuous Improvement: Security controls are evaluated and improved on a regular basis

3. Access Control

We enforce strict access controls based on the principle of least privilege:

  • Role-Based Access: Access to systems and data is granted based on job responsibilities using AWS IAM policies with granular permissions
  • Multi-Factor Authentication (MFA): MFA is required for all critical systems including cloud infrastructure (AWS), source code repositories (GitHub), and administrative dashboards
  • SSH Key Authentication: Server access requires SSH key-based authentication; password-based SSH access is disabled
  • Credential Management: Secrets, API keys, and database credentials are stored in AWS Systems Manager Parameter Store, never in source code
  • Access Reviews: Access permissions are reviewed regularly and revoked promptly when no longer needed
  • Session Management: Automatic session timeouts and screen locking are enforced on all company devices

4. Network Security and Segregation

Our infrastructure is designed with defense-in-depth principles:

  • Virtual Private Cloud (VPC): All infrastructure runs within isolated AWS VPC environments with defined network boundaries
  • Private Subnets: Databases and internal services are deployed in private subnets that are not directly accessible from the public internet
  • Security Groups: Firewall rules (AWS Security Groups) restrict inbound and outbound traffic to only necessary ports and IP ranges
  • Load Balancing: Public-facing traffic is routed through Application Load Balancers (ALB) with health checks and DDoS mitigation
  • TLS Everywhere: All external communications use TLS 1.2 or higher; internal service-to-service communication is encrypted
  • CDN Protection: Frontend assets are served through Amazon CloudFront with edge caching and built-in DDoS protection

5. Data Classification and Encryption

We classify data based on sensitivity and apply appropriate protection measures:

Data Classification

  • Confidential: OAuth tokens, API keys, user credentials, payment data — encrypted at rest and in transit, access restricted to essential services only
  • Internal: User account data, conversation history, agent configurations — encrypted at rest and in transit, access controlled by role
  • Public: Marketing content, documentation, published policies — no encryption required

Encryption Standards

  • In Transit: All data transmitted between clients and servers is encrypted using TLS 1.2+ (HTTPS)
  • At Rest: Database storage (Amazon RDS) uses AES-256 encryption. File storage (Amazon S3) uses server-side encryption (SSE-S3)
  • Sensitive Tokens: OAuth access tokens and refresh tokens are encrypted before storage in the database using application-level encryption
  • Backups: Database backups are encrypted using the same AES-256 standard

6. Endpoint Security

All company endpoints (laptops, workstations) are protected with the following measures:

  • Anti-Virus / Anti-Malware: Built-in OS security (macOS XProtect, Gatekeeper, MRT) is enabled and automatically updated on all devices
  • Disk Encryption: Full-disk encryption (FileVault) is enabled on all company devices
  • Automatic Updates: Operating system and software security patches are applied promptly
  • Screen Lock: Automatic screen lock is enforced after a period of inactivity
  • Secure Configuration: Default passwords are changed, unnecessary services are disabled, and firewalls are enabled

7. Vulnerability and Threat Management

We maintain proactive vulnerability and threat management processes:

  • Dependency Scanning: GitHub Dependabot monitors all repositories for known vulnerabilities in dependencies and automatically creates alerts and pull requests for remediation
  • Infrastructure Monitoring: AWS CloudWatch monitors infrastructure health, performance metrics, and anomalous activity
  • Logging: Application and access logs are collected and retained for security analysis and forensic investigation
  • Patch Management: Security patches for application dependencies, operating systems, and infrastructure components are applied on a regular schedule and expedited for critical vulnerabilities
  • Code Review: All code changes undergo review before deployment to production to prevent introduction of security vulnerabilities

8. Incident Response Policy

Pixell maintains an incident response policy to ensure rapid and effective response to security incidents. Our incident response process follows these phases:

8.1 Identification and Reporting

  • Security incidents can be reported by any team member, automated monitoring systems, or external parties
  • External reports should be directed to security@pixell.global
  • All suspected incidents are logged and triaged immediately based on severity

8.2 Containment

  • Affected systems are isolated to prevent further damage or data exposure
  • Compromised credentials are rotated immediately
  • Temporary mitigations are applied while root cause analysis is underway

8.3 Investigation and Remediation

  • Root cause analysis is performed using application logs, access logs, and infrastructure metrics
  • Forensic evidence is preserved for potential legal or regulatory purposes
  • Permanent fixes are developed, tested, and deployed

8.4 Notification

  • Affected users and partners are notified within 72 hours of confirmed data breaches
  • Regulatory authorities are notified as required by applicable law (e.g., CCPA, state breach notification laws)
  • Platform partners (TikTok, Google, etc.) are notified if their data is involved

8.5 Post-Incident Review

  • A post-incident review is conducted to identify lessons learned
  • Security controls are updated to prevent recurrence
  • Incident documentation is retained for compliance and audit purposes

Roles and Responsibilities

The Data Protection Officer (DPO) is responsible for overseeing incident response coordination, stakeholder communication, and regulatory notifications. All personnel are responsible for promptly reporting suspected security incidents.

9. Internal Data Protection Policy

Pixell maintains internal policies governing the handling of personal data:

  • Data Minimization: We collect and process only the minimum personal data necessary to provide our services
  • Purpose Limitation: Personal data is used only for the purposes stated in our Privacy Policy and authorized by the data subject
  • Storage Limitation: Personal data is retained only as long as necessary for its stated purpose and deleted or anonymized thereafter
  • Third-Party Data Processing: Third-party services that process personal data on our behalf are vetted for adequate security and privacy practices
  • Data Subject Rights: We honor data access, correction, deletion, and portability requests in accordance with applicable law
  • Cross-Border Transfers: When personal data is transferred internationally, appropriate safeguards (e.g., standard contractual clauses) are applied
  • Regular Updates: This policy is reviewed and updated at least annually or when material changes occur in our data processing activities

10. Breach Notification Process

In the event of a confirmed data breach involving personal data, Pixell will:

  • Notify affected individuals and partners within 72 hours of confirmation
  • Provide a description of the nature of the breach, including the categories and approximate number of records affected
  • Describe the likely consequences of the breach and the measures taken to address it
  • Notify applicable regulatory authorities as required by law
  • Provide contact information for the Data Protection Officer for further inquiries
  • Document all breach-related activities for compliance and audit purposes

11. Data Protection Officer

Pixell has appointed a Data Protection Officer (DPO) responsible for:

  • Overseeing compliance with data protection laws and this security policy
  • Serving as the primary point of contact for data protection inquiries from users, partners, and regulators
  • Coordinating incident response and breach notification procedures
  • Conducting regular reviews of security and privacy practices
  • Ensuring personnel are trained on data protection responsibilities

DPO Contact: privacy@pixell.global

12. Infrastructure and Hosting

All Pixell services are hosted on Amazon Web Services (AWS), which maintains comprehensive security certifications including SOC 1/2/3, ISO 27001, and FedRAMP.

  • Region: All data is stored and processed in the United States (AWS us-east-2, Ohio)
  • Compute: Amazon EC2 instances with security-hardened configurations
  • Database: Amazon RDS with encryption at rest, automated backups, and private subnet deployment
  • Storage: Amazon S3 with server-side encryption and access logging
  • DNS and CDN: Amazon CloudFront and Route 53 with DDoS protection
  • Secrets Management: AWS Systems Manager Parameter Store for secure credential storage

13. Business Continuity and Disaster Recovery

Pixell maintains business continuity and disaster recovery measures to ensure service availability:

  • Automated Backups: Database backups are performed automatically on a daily basis and retained for point-in-time recovery
  • Infrastructure as Code: Server configurations and infrastructure are managed through reproducible deployment scripts, enabling rapid recovery
  • Health Monitoring: Automated health checks monitor service availability and trigger alerts for degraded performance or outages
  • Redundancy: Critical services are deployed with load balancing and health-check-based failover
  • Recovery Procedures: Documented rollback and recovery procedures enable rapid restoration of services

14. Data Deletion and Retention

At the end of a contractual or service relationship:

  • All customer data in our possession will be deleted or anonymized within 30 days of account termination
  • OAuth tokens and third-party platform credentials are revoked and deleted immediately upon disconnection
  • Backups containing customer data are purged according to the backup retention schedule (maximum 30 days)
  • We will provide data export capabilities upon request prior to account deletion
  • Certain data may be retained as required by law, but only for the minimum period required

15. Changes to This Policy

We may update this Security Policy from time to time to reflect changes in our practices or applicable regulations. Material changes will be posted on our website with an updated effective date. Partners and users will be notified of significant changes via email.

16. Contact

For security-related inquiries, vulnerability reports, or questions about this policy:

Pixell Global Inc.
Security: security@pixell.global
Data Protection Officer: privacy@pixell.global