# getting-started


01/31/2022, 9:15 AM
Hi all, I guess there are Pulumi team members here from whom we would like to get some support. We sent this support e-mail last week but still didn’t get a response, and we need to make a decision until Tomorrow. So if anyone can take a look at this we would appreciate it. You can respond to this email: Thanks!
Copy code

We are currently qualifying Pulumi as our Infrastrucutre management tool, but we have some Information security concerns that we'd like to clear up.

Our product is classified as a *Medical device* and therefore needs to conform to a high security standard, especially regarding PII.

We saw this section on your website, and we would like to have a bit more information about it:

> The Pulumi Service is reliable, secure, and has undergone multiple audits, including SOC2 and professional pen-testing. Because of the client/server division of responsibilities — notably that the server doesn't have direct access to your cloud credentials, runtime data, or PII — the Pulumi Service has been used in organizations with advanced compliance needs, including PCI, ISO 27001, HIPAA, and more. If you'd like to discuss any of these topics, please contact us.

(copied from <>)

The T&C (<>) and PP (<>) pages on your website didn't provide enough information, so we would just like to clear some things up:

1. Can you provide any evidence about information security? What do you have in place to make sure our data is safe? There is no written policy on the website.
2. Can you provide more details about the your SOC2 certification?
3. Exactly what kind of data does Pulumi have access to? Be very specific please.
4. What is the operational impact of Pulumi being unavailable?

Our product currently operates in EU, and it will be available in the US, as well as Globally.

These are the standards we currently implement (and possibly there will be more):
- ISO 13485
- ISO/IEC 27001
- NEN 7510

Thanks in advance,
SkinVision Team


01/31/2022, 9:21 AM
3. and 4. are kinda easy to answer. 3. - everything that is part of a Stack config + Stack State. 4. You are not able to deploy or destroy resources PS pulumi provides a Secret service to encrypt secrets, you can use your own KMS to encrypt those secrets and then Pulumi will only ever see the hashes


01/31/2022, 9:24 AM
Thanks, no. 1 is kind of the main point for the company


01/31/2022, 9:30 AM
yeah I'd be really curious about 1. and 2. myself!
what email did you send your question to? I'd recommend using
for these questions


01/31/2022, 9:33 AM
We used the contact form I think, will forward the mail to
as well, thanks! I’ll post their response here


01/31/2022, 2:58 PM
@rough-intern-34947 Sorry about missing the original inquiry, but we did receive the request sent to
and will follow up.
🙌 1


01/31/2022, 2:59 PM
Thanks @witty-candle-66007 !
We got our response, thanks once again! I will paste the relevant parts so that other people can reference those as well:
Copy code
1. Exactly what kind of data does Pulumi have access to? 

Pulumi stores metadata about your infrastructure so that it can manage your cloud resources. This metadata is called state. 
 Pulumi state does not include your cloud credentials. Credentials are kept local to your client — wherever the CLI runs — even when using the managed Pulumi Service backend. Pulumi does store configuration and secrets, but encrypts those secrets using your chosen encryption provider.

2. Can you provide any evidence about information security? 

I have attached a copy of a white paper that provides additional detail on the security of our SaaS 

3. Can you provide more details about the your SOC2 certification? 

The Pulumi SaaS is SOC II Type 2 certified, the entire report can be shared under NDA.

4. No provision on confidentiality is in the regular T&C only in the Professional Services Agreement. Will the Professional Services Agreement be applicable to us?

Unless we enter into a professional services engagement this is not usually 

5. Is somewhere in the terms stated that we will be informed in case of changes to general terms and conditions or use of product/services?

This is covered in Section 14 of the terms & conditions 

6. What is the operational impact of Pulumi being unavailable? Would we be unable to still do deployment?

In the event that you loose access to the Pulumi service you would be unable to access the Pulumi console or to access changes made by other users. You would still be able to make changes to your cloud infrastructure by accessing them directly.