Our approach to security
Pilla helps organisations manage and coordinate their frontline teams, which means we are trusted with information about your people and your operations. We take that seriously. This page explains, in plain terms, how we protect your data, where it lives, and how we keep the platform reliable.
If you are evaluating Pilla on behalf of your organisation and need more detail than this page provides, please get in touch using the security contact at the bottom.
Where your data is hosted
Pilla runs on managed cloud infrastructure provided by Supabase, hosted on Amazon Web Services (AWS). Your core data, including your database, files, and authentication records, is stored in the AWS London region. This means your data is held in the United Kingdom.
A small number of supporting services we rely on operate in other regions. Where that is the case, those transfers are covered by appropriate safeguards as described in the data protection section below.
Encryption
All data is encrypted in transit and at rest:
- In transit: every connection to Pilla, on the web app and the mobile app, is protected with TLS (HTTPS). Data moving between you and Pilla, and between Pilla and its infrastructure, is encrypted.
- At rest: the database and stored files are encrypted at rest using industry-standard AES-256 encryption.
Tenant isolation
Pilla is a multi-tenant platform, which means many organisations are served from shared infrastructure. Your data is kept logically separate from every other customer's data.
Every record in Pilla is tied to a single customer account. Isolation is enforced at the database layer, on every query, using row-level security policies, rather than relying on application code to remember to filter correctly. The result is that one customer's users can never read or write another customer's data.
Availability and reliability
Pilla is hosted on managed cloud infrastructure and is continuously monitored. Errors and anomalies are logged and alerted on so that issues can be identified and addressed quickly.
Backups and recovery
Pilla's production database is backed up automatically every day, with backups held in the same UK region as the live data. This allows us to recover the platform in the event of a serious failure or data-loss incident.
Authentication and access control
- Passwordless sign-in: Pilla does not ask your team to create or manage passwords. People sign in using a secure, single-use magic link sent to their email address, which removes an entire category of password-related risk.
- Role-based access: within each customer account, access is governed by roles. Administrators, managers, and staff each see and do only what their role permits, following the principle of least privilege.
Data protection
Your Pilla Ltd (trading as Pilla) is a UK limited company and is registered with the Information Commissioner's Office (ICO registration number ZB114085).
For the personal data of your team members, the relationship is as follows:
- The organisation that subscribes to Pilla is the data controller.
- Pilla is the data processor, processing that data on your behalf and under your instructions.
We make a Data Processing Agreement (DPA) available to customers, which sets out our obligations as a processor in line with the UK GDPR. Individuals can exercise their data protection rights, including access and erasure; see our Right to Erasure page and our Privacy Policy for detail.
Sub-processors
Pilla relies on a small number of carefully selected third-party providers to deliver the service, for example for hosting, email delivery, payments, and analytics. We hold each to appropriate data protection standards. A current list of our sub-processors is available on request and forms part of our Data Processing Agreement.
Reporting a security issue
We welcome reports from security researchers and customers. If you believe you have found a security vulnerability in Pilla, please email us at security@yourpilla.com with the details. We will acknowledge your report and work with you to resolve the issue. Please give us a reasonable opportunity to address any issue before disclosing it publicly.
Contact
For any question about Pilla's security or data protection practices, contact us at security@yourpilla.com.