Pooly
Security

How Pooly protects your data.

Pooly handles operator records, customer data, service history, and payment tokens. Below is exactly how we secure each. Honest about what we have shipped and what is on the post beta roadmap.

Security pillars

Six pillars of how we operate

Encryption everywhere

TLS 1.2+ for data in transit. AES-256 for data at rest. Customer card data is tokenized and never stored on Pooly servers.

Role based access

Owner, office, tech, and view only roles. Permissions per route, customer, and report. Audit log of access events.

AWS infrastructure

Hosted on AWS in US-East. Multi AZ database with automated backups. CloudFront for the marketing site, Lambda + ECS for the application tier.

Payment data isolation

Payments are processed by ClayPay and our underlying processor. Card numbers, CVV, and full PANs never touch Pooly application servers. Tokens only.

AI data handling

AI features run on customer data only when an operator initiates the request. Inputs are not used to train third party models. Provider keys are scoped to the minimum required.

Vulnerability disclosure

Security researchers and customers can report issues to security@poolyai.com. We acknowledge within 48 hours and patch critical issues within 7 days.

Operating practices

What we do every day

  • TLS 1.2 or higher on every Pooly endpoint with HSTS preload submitted
  • AES-256 encryption at rest for the production database
  • Production database in a private subnet, never exposed to the public internet
  • Daily automated backups with point in time recovery for the last 7 days
  • Least privilege IAM policies on every service and engineer account
  • Two factor authentication required on all production console access
  • Production secrets stored in AWS Secrets Manager, rotated quarterly
  • Dependency scanning on every commit through GitHub security advisories
  • Logging and audit trails retained for 90 days
  • Annual third party penetration test (planned post beta)

Compliance and certifications

Where we are right now

SOC 2 Type II

In progress

Targeted post beta. Initial Type I audit planned for Q4 2026.

PCI DSS

Out of scope

Payment data is processed by ClayPay and the underlying processor. Pooly never stores card numbers.

CCPA + state privacy laws

Compliant

Privacy policy and data subject request workflow available today.

Reporting

Vulnerability disclosure

Found a security issue? Email security@poolyai.com. We acknowledge within 48 hours and aim to patch critical issues within 7 days. We do not run a paid bug bounty during beta but we credit researchers in a public hall of fame on this page when requested.

Please do not perform automated scans against production. Reach out first if you want a sandbox to test.

Security questions for sales

If your team needs a vendor security review or a custom questionnaire response, email the founders directly.

Email foundersRead Privacy Policy