.avif)
Table of Contents
Main product security features
Authentication and user management
Pigment supports SAML 2.0 SSO and SCIM provisioning, compatible with any compliant identity provider such as Okta and Microsoft Entra ID. Alternatively, support for Google Login offers an additional turnkey single sign-on option.
Pigment also supports multi-factor authentication (MFA) to further secure access to the platform, as well as domain allowlisting to ensure that only users from the domains you trust can be provisioned within Pigment.
Role-based access control
Pigment offers group based role assignment, allowing you to group users to permission sets across your entire Workspace.
Groups makes it easy to assign, track, and maintain users' roles across the entire workspace in a centralized location without writing any code or formulas.
Audit and traceability
Pigment offers comprehensive audit trail features to support strong visibility and oversight. With the Audit Trail API, you can ingest login, administration, security and application events into your SIEM for further monitoring and analysis.
Within Pigment, your applications each have detailed histories down to the data block level, which offer full visibility into the edit events taken on your data models.
Test & deploy
Pigment offers testing environments that allow your modellers to plan and stage changes before being pushed into the production application. These environments are linked and the production application can be locked to prevent modification outside of the test environment, providing a safe change management process for your critical applications.
Data access rights
Separate to role-based access control, Pigment offers fine-grained data access rights for all data within your Pigment applications, allowing you to determine who can see and modify specific data based on attributes associated with your users.
Data residency and sovereignty
Customer data is stored in the region you choose: europe-west3 (Frankfurt, Germany) or us-west1 (Oregon, USA).
For organisations requiring French or European sovereign hosting, Pigment is available on S3NS - a SecNumCloud 3.2 certified cloud operated by S3NS, a Thales subsidiary. S3NS provides infrastructure that is legally and operationally shielded from non-European jurisdiction.
Business continuity and disaster recovery
Pigment runs across three independent Google Cloud zones per region. Backups are stored in multi-regional buckets within the customer's chosen geography. Our disaster recovery plan is tested annually with a live exercise, offering a recovery time objective (RTO) of 6 hours and a recovery point objective (RPO) of 24 hours.
Secure Implementation
Pigment’s Secure Implementation Guidebook helps security teams deploy Pigment using built-in controls and configuration guidance aligned to their security objectives. It outlines how to apply Pigment’s security features in practice, supporting secure rollout and ongoing operations in your environment.
Request a copy at any time via the Trust Center.
Our security policies
Certifications and compliance
Pigment holds SOC 2 Type 2 and ISO 27001 certifications, independently audited on an annual basis. Our compliance program covers GDPR and CCPA/CPRA, with formal policies reviewed at least yearly across all security domains.
Moreover, our customers can operate Pigment in compliance with the relevant provisions of the Sarbanes Oxley (SOX) Act.
Dedicated security team
Pigment employs a full-time, dedicated security team, a Chief Information Security Officer (CISO) and security engineers work with the company to keep our product and platform secure. Our security team partners closely with engineering to embed security into design, development, and operations, and we maintain and evolve our security program to meet customer expectations and support relevant industry standards.
Encryption
We keep your data encrypted at all times.
Data at rest, including databases and backups are encrypted using AES-256. Data in transit is encrypted using TLS 1.2+ with HSTS preloading. We use short-lived, programmatically renewed certificates and do not issue wildcard certificates.
Employee access
Access is governed by role-based access control (RBAC) and the principle of least privilege, with conditional access policies, mandatory MFA, and quarterly review of access rights.
Security assurance
Our continuous security assurance program includes yearly third-party audits, penetration tests, red team exercises, a vulnerability disclosure program, and a bug bounty program, on top of our internal security reviews. Automated security scans run every day. These include checks for infrastructure configuration hardening, external website vulnerabilities, asset discovery, and scanning of container images and software dependencies.
Our network perimeter is protected by a web application firewall, an intrusion detection system, and zero trust network policies for secure access to production infrastructure.
Monitoring and logging
All Pigment system events are ingested in our Security Operation Center that combines tools, people, and procedures to continuously detect and respond to threats.
AI security and governance
Pigment's AI features are governed by a framework aligned with the EU AI Act. Customer data is strictly isolated and never used to train foundation models. AI-generated insights are clearly identified, and human oversight is maintained throughout. All AI sub-processors undergo rigorous security and data protection assessments.
Incident response
Pigment maintains a formal incident response plan with documented procedures for detection, containment, and remediation. Major incidents escalate to CEO level immediately, and the plan is tested annually.
Secure development
Pigment ensures all code changes are peer reviewed prior to release, including manual and automated checks for security issues.
