At Pusher, we take data security very seriously. We have always had a strong commitment to privacy, security, and transparency – both for our customers and our own employees. This translates into a measured attitude to our security policies, procedures and certifications.
Our security program, management system, controls and the implementation of those are audited at least twice per year by an independent and qualified third party, evidenced by the valid ISO27001:2013 certificate.
Pusher services are provided by MessageBird UK Ltd. MessageBird is committed to providing best practice security and privacy technical and organizational measures. Close attention to local rules and regulations, employee-screening, and data encryption are just a few ways MessageBird ensures security and reliability.
This page documents all security and privacy-related information that we are able to share. It serves as a reference point for any questions that you may have.
Should you have any additional questions you can contact the Pusher team via our contact pages.
Please note that outside of the information listed on this page, we are only able to engage in security reviews for customers on Enterprise plans who have a security engagement included in their contract.
A completed Consensus Assessments Initiative Questionnaire (CAIQ)is available on request.
Pusher infrastructure and the products associated are ISO/IEC 27001:2013 certified.
MessageBird conducts its business in accordance with all applicable laws and regulations, including General Data Protection Regulation (GDPR).
For full details of certifications and registrations applying to all MessageBird products, please visit the parent company support pages.
A copy of the ISO27001:2013 certificate and the accompanying Statement of Applicability are available on request.
The CAIQ helps customers and auditors assess the information security capabilities of cloud based service providers such as MessageBird and the Pusher services. The CAIQ consists of 261 questions covering 17 different domains.
There is a limited amount of documentation which cannot be shared without a formal NDA agreed between Pusher and interested parties. This includes Penetration Test Attestation letters. Please contact the team for enquiries.
Documents are available which provide the reader with the information required to complete their own independent compliance and security assessments for MessageBird, including available certifications. Please contact the team for enquiries.
The Compliance Assessment package consists of the Security Overview, ISO27001:2013 certificate and Statement of Applicability, and CAIQ assessment.
A copy of the MessageBird Privacy Statement is available here. This statement aims to provide clear, accessible and easy-to-understand information to all website visitors, leads, customers and users of MessageBird services.
Articles which outline how to address HIPAA compliance when using Pusher products are available in the support knowledge base.
Data passed through Pusher APIs is ephemeral and is not stored by our system.
Please note that an exception applies to users of the Cache Channels feature on Pusher Channels. The feature is designed as a convenient way for clients to fetch the latest value from the edge of the network and is not a permanent store of data; cache values are only stored in memory and are removed after 30 minutes. The use of this channel type is optional.
For many customers the location through which data is passed is important to understand. Pusher products are covered by public clusters in 9 locations. Dedicated clusters are also provided on request to some enterprise customers.
End clients of Pusher services can theoretically be located anywhere in the world. When a message is sent to a client subscribed to a channel Pusher is not aware of the geographical location of that recipient.
If data publishing to your app is required to be restricted to specific country borders please consider the cluster chosen when creating your app. Customers who do not wish to publish data to Pusher services outside of the US, for example, should ensure that they are using a US cluster. More guidance is available in our documentation.
All data passed through Pusher is encrypted. Further, when using our end-to-end encrypted channels feature, Pusher is unable to read the content of the data field. Customers can use E2EE channels to further secure the data passed through us in the data field.
To see General Legal Terms and Conditions, including the Product Specific Terms and the Data Processing Annex, for any MessageBird services (and affiliates) please visit the MessageBird legal pages.
Security researchers who have found bugs on our platform are encouraged to report their findings on https://hackerone.com/messagebird and may be eligible for a reward in the case of valid vulnerabilities.
Should you find a vulnerability please follow the below guidance on response and reporting:
If the above points apply, please send an email directly to [email protected].
Any reward offered does not apply to products which are currently in beta release. Learn more.