<mailto:sales@pulumi.com|sales@pulumi.com>

1. Exactly what kind of data does Pulumi have access to? 

Pulumi stores metadata about your infrastructure so that it can manage your cloud resources. This metadata is called state. 
 Pulumi state does not include your cloud credentials. Credentials are kept local to your client — wherever the CLI runs — even when using the managed Pulumi Service backend. Pulumi does store configuration and secrets, but encrypts those secrets using your chosen encryption provider.

2. Can you provide any evidence about information security? 

I have attached a copy of a white paper that provides additional detail on the security of our SaaS 

3. Can you provide more details about the your SOC2 certification? 

The Pulumi SaaS is SOC II Type 2 certified, the entire report can be shared under NDA.

4. No provision on confidentiality is in the regular T&C only in the Professional Services Agreement. Will the Professional Services Agreement be applicable to us?

Unless we enter into a professional services engagement this is not usually 

5. Is somewhere in the terms stated that we will be informed in case of changes to general terms and conditions or use of product/services?

This is covered in Section 14 of the terms & conditions 
<https://www.pulumi.com/terms-and-conditions/> 

6. What is the operational impact of Pulumi being unavailable? Would we be unable to still do deployment?

In the event that you loose access to the Pulumi service you would be unable to access the Pulumi console or to access changes made by other users. You would still be able to make changes to your cloud infrastructure by accessing them directly.