Security, Compliance, & Data Protection
Security Center
Read about HeyPico’s security, compliance and data protection.
Pico remembers everything you tell it, it also deletes if you want it to forget.
Certifications
CASA Tac Security Tier 2
Security Controls
Controls verified from deployment scan; concise format without sensitive technical detail.
| 24 of 24 Controls Implemented | |
|---|---|
| TLS 1.3 for public domains |
|
| TLS in transit (proxy + certificate at origin) |
|
| Credentials stored in Secrets Manager; encryption at rest (KMS) |
|
| Credentials fetched at startup; no plain secrets in manifests |
|
| Separate secret path per service and environment |
|
| IAM least privilege for Secrets Manager access |
|
| Credential and script volumes mounted read-only |
|
| Workflow/credential data encryption (managed key) |
|
| Redundancy (multi-cluster, multi-AZ, secret per environment) |
|
| Load balancer per service; inbound HTTPS only |
|
| Proxy + Under Attack Mode (managed challenge) |
|
| DDoS protection (SSL/TLS, network-layer, HTTP) |
|
| WAF (rate limiting; managed rules per plan) |
|
| Kubernetes (cluster, node group, namespace, ingress) |
|
| Images from central registry; imagePullSecrets |
|
| Autoscaling (HPA; KEDA for queue-based workers) |
|
| Network isolation (VPC, security group per layer) |
|
| Ingress HTTPS only; redirect and certificate |
|
| Geographic redundancy (multi-AZ; multi-region planned) |
|
| Per-environment isolation (namespace and secret) |
|
| Automated backup (DB to object storage; scheduled AMI) |
|
| Point-in-time recovery (from DB backup or AMI) |
|
| 24/7 Uptime monitoring and alerting |
|
| Container health checks and restart policy |
|