Pebble Trust Commitment
What we commit to, and the proof behind it.
Effective May 22, 2026 · Self-attested by Pebble Engine
This is a self-attested commitment. Pebble Engine is not yet SOC 2 or ISO 27001 certified — those are real audits we'll pursue once we've cleared the revenue + headcount thresholds to fund them well. We'll publish the report and the badge here when they're real.
Until then, this page is the receipts: every claim below is described in plain language so you can verify, ask follow-ups, and request artefacts (DPA, security questionnaire) for your own procurement process. We'd rather be honest about where we are than mock up a certification we haven't earned.
GDPR
5 commitmentsProcessor / Controller roles documented (Article 28)
You are the data controller for the personal data Pebble handles on your behalf. Pebble is the data processor. Our DPA spells out the roles and obligations both ways.
EvidenceSee the Data Processing Addendum. Signed copy available on request from web@getpebble.net.
Appropriate technical and organisational measures (Article 32)
TLS 1.2+ in transit on every endpoint. Encryption at rest for account data, sentinels, and form submissions. Passwords hashed via Supabase Auth (Argon2). Per-tenant filesystem isolation in the engine. Database row-level security via Supabase RLS prevents cross-tenant reads even if an authorisation check is missed at the API layer.
EvidenceSub-processor list in /dpa; each provider is independently SOC 2 Type II certified.
Personal data breach notification (Articles 33 & 34)
On confirmation of a personal data breach affecting your data, we notify you without undue delay — target 48 hours, well inside the regulatory 72-hour window. Notification includes scope, affected data categories, mitigations, and remediation timeline.
EvidenceInternal breach-notification SOP. The notification commitment is part of the DPA we sign with you.
International transfers via Standard Contractual Clauses
EEA → US data transfers happen through our sub-processors (Supabase, Stripe, Resend, Cloudflare, Railway, Vercel, Anthropic, Google, OpenRouter), all of which operate under the EU SCCs.
EvidenceSub-processor regions + privacy-policy links in /dpa.
EU Representative (Article 27)
Pebble Engine processes personal data of EEA / UK residents and is therefore subject to the appointment of an EU Representative under GDPR Article 27 and a UK Representative under the UK GDPR. Both appointments are in process; until they're finalised, EU and UK data subjects can address rights requests to the contact below and we will route them appropriately under reasonable timelines.
EvidenceInterim contact: web@getpebble.net. Formal Representative appointment listed here once executed.
Data Rights
3 commitmentsAccount deletion with a real cooling-off window
Request deletion from your account settings. The request enters a 14-day cooling-off window so you can cancel by mistake without losing your work. After the window, all associated personal data is purged from our systems and sub-processor cleanups run that same week.
EvidenceImplemented end-to-end with audit logging. Cooling-off length configurable via deployment env (default 14 days).
Access, rectification, portability — within GDPR timelines
Requests for access (what data we hold), rectification (fix incorrect data), or portability (export your projects in machine-readable form) are honoured within the GDPR-mandated 30-day window. Most requests are fulfilled within 5 business days.
EvidenceEmail web@getpebble.net with your account email. We log every request and the response for our own audit trail.
Cookieless analytics — no consent banner needed
Pebble's own product analytics (visit counts, page views) run on Plausible, which is fully cookieless and aggregated. We don't fingerprint browsers, don't store IPs, and don't sell anonymised behaviour data to anyone.
EvidencePlausible is GDPR / PECR / CCPA compliant by design — see plausible.io/data-policy. Generated sites can opt into the same setup via the analytics integration.
Security
4 commitmentsBuilt on SOC 2 / ISO 27001 infrastructure
Every layer Pebble depends on — auth, database, payments, email, CDN, hosting, AI — is operated by a SOC 2 Type II and / or ISO 27001 certified provider. That doesn't make Pebble itself certified, but it means the platform under the application is auditable.
EvidenceSupabase (SOC 2 Type II + ISO 27001 + HIPAA), Stripe (SOC 2 Type II + ISO 27001 + PCI DSS), Cloudflare (SOC 2 Type II + ISO 27001), Railway (SOC 2 Type II), Vercel (SOC 2 Type II), Anthropic (SOC 2 Type II), Resend (SOC 2 Type II).
Tenant isolation by default
Each customer's projects live in a per-tenant directory the engine validates on every request via a centralised slug guard. Database row-level security (Supabase RLS) prevents cross-tenant reads even if an authorisation check is missed at the API layer — defence in depth.
EvidenceSlug guard + ownership-check helpers are the entry point for every project mutation. Schema-level RLS policies are version-controlled with the rest of our infrastructure code.
Secrets stay in the secret channel
API keys, OAuth tokens, and webhook secrets are stored only in environment variables — never in source, never in the database, never in user-facing UI. Per-project integration credentials, when added, use envelope encryption.
EvidenceEngine secrets live in .env files outside the repository. Vault-style encryption is in place for any third-party credentials we store on a customer's behalf.
External audit roadmap — honest version
Pebble itself is not yet SOC 2 Type II or ISO 27001 certified. We're following the standard SaaS path: implement the controls first (done), engage Vanta or Drata for continuous monitoring (next milestone), then run the 6-12 month observation period and external audit. Targeting our first SOC 2 Type II report at ~$500K ARR.
EvidenceWe'll publish the audit report and badge here when it's real. Until then this section stays honest about what's certified (infrastructure) and what's not (Pebble itself).
Security questionnaire (CAIQ)
For B2B procurement teams: we maintain a completed CSA CAIQ (Cloud Security Alliance Consensus Assessments Initiative Questionnaire) — the standard self-attested security questionnaire that's the practical substitute for SOC 2 at our stage. Available on request from web@getpebble.net. We'll send the current version (PDF or Excel) inside one business day, no NDA required for the questionnaire itself.
Verified credentials
What's real today. Click any of these to verify the result yourself — none of them require you to take our word.
- SSL Labs A+ rating — third-party scan of our TLS configuration. Live grade available at ssllabs.com/ssltest. Auto-rescans on every deploy; covers TLS 1.3, post-quantum key exchange (X25519MLKEM768), forward secrecy, and HSTS with a 2-year max-age.
- Mozilla Observatory B+ (80/100) — third-party scan of our HTTP security headers. Live grade at developer.mozilla.org/observatory. Covers Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS. We're working toward A+ (requires nonce-based CSP — see below).
Working toward — next 30 days
We don't want to talk about security without taking concrete steps. Below are the public, third-party-listed credentials we're actively pursuing right now. Each one is free and verifiable.
- HSTS preload list — pebbleapp.ai is submitted and pending inclusion in Chrome / Firefox / Edge / Safari's HSTS preload lists. Once shipped (typical wait: 6-12 weeks), browsers refuse to connect to pebbleapp.ai over plain HTTP at the binary level — no downgrade attack possible.
- OpenSSF Best Practices Badge — Open Source Security Foundation badge for projects that meet a documented set of secure-development practices. We'll be listed on bestpractices.dev with the answers we submitted visible to anyone.
- Mozilla Observatory A+ grade — currently at B+ (above). The last 20 points require nonce-based CSP (no 'unsafe-inline' / 'unsafe-eval'). That's a Next.js middleware change we'll ship once we've verified it doesn't break hydration in any DNA combo.
- SOC 2 Type II — the real audit. Vanta or Drata for continuous monitoring at ~$200K ARR, full Type II audit at ~$500K ARR. We'll publish the report and the badge here when it's real.
We're shipping these because we'd rather earn a real credential than slap a mocked-up one on the site. If you're evaluating Pebble and want a status update on any of the above, email web@getpebble.net.
Reporting a security issue
Found something concerning? Email web@getpebble.net with details. We acknowledge security reports within 24 hours and will keep you updated through remediation. We don't currently run a paid bug-bounty program; we DO send genuine thanks and a Pebble t-shirt for any report that materially improves our security posture.
Changes to this commitment
Material changes (a commitment removed or weakened, a new sub-processor added) are announced to your account email 30 days in advance. Editorial changes (clarifications, typo fixes, evidence-link updates) are committed silently — full revision history lives in the project's Git log.
Related documents
- Privacy Policy — what we collect, how we use it, your rights
- Data Processing Addendum — sub-processor table + signed-copy request
- Terms of Service — account ownership, generated-content rights, liability