Security is the product, not a tab

How we keep your data safe

• UK hosting only. Control plane, database, and all backups stay on UK infrastructure. Your data never leaves UK jurisdiction.
• Multi-tenant isolation. Every database query is gated on organization_id at the SQL layer. No shared tables across organisations; cross-tenant reads are physically impossible by design.
• Encryption in transit. TLS 1.2+ for all traffic. HSTS preload-eligible (1-year max-age, includeSubDomains). All agent ↔ host traffic over HTTPS.
• Encryption at rest. Application secrets, webhook URLs, third-party API keys, and BitLocker recovery keys are wrapped with AES-256-GCM (16-byte authentication tag enforced) before storage. Agent device tokens are wrapped with Windows DPAPI on the endpoint.
• Encrypted backups, offsite. Daily AES-256-CBC encrypted backup with 14-day rotation; key separation between application and backup tier.
• Device-token rotation. Every agent device token is rotated automatically every 30 days during check-in; stale tokens are refused and force re-enrolment.
• Step-up authentication. High-blast-radius actions (remote desktop enable, app deploy, run-script, force-update-all) require an explicit MFA step-up token within the last 5 minutes — not just a logged-in session.
• Rate limiting. Every authentication, billing, and command endpoint is rate-limited per-IP. Webhook destinations are SSRF-checked before saving.

Compliance frameworks — evidence walkthroughs

Every framework below ships with an evidence-walkthrough document mapping PatchPilot features to specific control IDs — the exact thing an auditor or insurer asks for.

Evidence walkthroughs (markdown, customer-redactable) are bundled with every paid plan. Your CISO, auditor, or cyber-insurance underwriter can pull the exact evidence they need from the audit log without going through us.

Responsible disclosure

If you believe you have found a security vulnerability in PatchPilot, please report it privately to security@patchpilot.co.uk. We commit to:

• Initial response within 1 working day (UK Mon–Fri).
• Triage decision within 5 working days. Severity classification (CVSS 3.1) and a target remediation window.
• No legal action against good-faith researchers who follow this policy and avoid customer-data access, denial-of-service testing, or social engineering.
• Public credit on our security advisories page (with your permission).

Out of scope

• Volumetric DoS / DDoS testing — please contact us first.
• Findings against third-party services we integrate with (Stripe, Resend, Cloudflare, Microsoft Graph). Report those to the respective vendor.
• Reports based solely on automated scanner output without a working PoC.

Encrypted reports

For sensitive reports, please request our PGP public key by emailing security@ and we will respond with the key fingerprint and a current key file.

Security controls in production

• Audit log everywhere. Every admin action, every approval, every device command, every billing event is appended to an immutable per-org audit log; SIEM-ready CEF/LEEF export available.
• Webhook signature verification. Stripe webhooks verified with HMAC; idempotency dedup on event ID prevents replay.
• SSRF guard on outbound webhooks. User-provided URLs are validated to block loopback, link-local, and metadata IP ranges before saving.
• Mutual TLS for agent identity. Optional client-certificate enrolment as a defence-in-depth layer on top of bearer-token authentication.
• Defender + ASR integration. Microsoft Defender status and Attack Surface Reduction posture reported alongside patch state for unified compliance view.
• VSS pre-patch snapshot. Volume Shadow Copy snapshot taken before every Windows update loop, enabling rapid rollback if a patch breaks an endpoint.

What we do not collect

The agent intentionally collects the minimum signal needed to do its job. We do not collect:

• File contents, document bodies, or any user-created data.
• Browser history, browsing data, or browser cookies.
• Process command lines, network packet captures, or memory snapshots.
• Keystroke or screen telemetry.
• Personal data beyond the device's hostname, OS version, installed-app inventory, and patch state.

Incident response

In the event of a security incident affecting customer data:

• Affected customers will be notified within 72 hours of confirmed impact, in line with UK GDPR Article 33 (controller) / Article 33(2) (processor) timelines.
• A post-incident report will be made available to all paying customers within 14 days of containment.
• For breaches involving personal data, the ICO will be notified per UK GDPR; affected data subjects will be notified directly where there is a high risk.

Our backup-restore runbook is exercised at least quarterly; restore-to-clean-DB is timed and recorded in the launch-readiness compliance pack.