Security

At Pusher, we take data security very seriously. We have always had a strong commitment to privacy, security, and transparency – both for our customers and our own employees. This translates into a measured attitude to our security policies, procedures and certifications.

Our security program, management system, controls and the implementation of those are audited at least twice per year by an independent and qualified third party, evidenced by the valid ISO27001:2013 certificate.

Pusher services are provided by MessageBird UK Ltd. MessageBird is committed to providing best practice security and privacy technical and organizational measures. Close attention to local rules and regulations, employee-screening, and data encryption are just a few ways MessageBird ensures security and reliability.

This page documents all security and privacy-related information that we are able to share. It serves as a reference point for any questions that you may have.

Should you have any additional questions you can contact the Pusher team via our contact pages.

1. Security Reviews

Please note that outside of the information listed on this page, we are only able to engage in security reviews for customers on Enterprise plans who have a security engagement included in their contract.

A completed Consensus Assessments Initiative Questionnaire (CAIQ)is available on request.

2. Certifications and Registrations

Pusher infrastructure and the products associated are ISO/IEC 27001:2013 certified.

MessageBird conducts its business in accordance with all applicable laws and regulations, including General Data Protection Regulation (GDPR).

For full details of certifications and registrations applying to all MessageBird products, please visit the parent company support pages.

A copy of the ISO27001:2013 certificate and the accompanying Statement of Applicability are available on request.

The CAIQ helps customers and auditors assess the information security capabilities of cloud based service providers such as MessageBird and the Pusher services. The CAIQ consists of 261 questions covering 17 different domains.

3. Non-disclosure agreements

There is a limited amount of documentation which cannot be shared without a formal NDA agreed between Pusher and interested  parties. This includes Penetration Test Attestation letters. Please contact the team for enquiries.

4. Compliance Assessment

Documents are available which provide the reader with the information required to complete their own independent compliance and security assessments for MessageBird, including available certifications. Please contact the team for enquiries.

The Compliance Assessment package consists of the Security Overview, ISO27001:2013 certificate and Statement of Applicability, and CAIQ assessment.

5. Privacy Statement

A copy of the MessageBird Privacy Statement is available here. This statement aims to provide clear, accessible and easy-to-understand information to all website visitors, leads, customers and users of MessageBird services.

6. HIPAA

Articles which outline how to address HIPAA compliance when using Pusher products are available in the support knowledge base.

7. Data Storage

Data passed through Pusher APIs is ephemeral and is not stored by our system.

Please note that an exception applies to users of the Cache Channels feature on Pusher Channels. The feature is designed as a convenient way for clients to fetch the latest value from the edge of the network and is not a permanent store of data; cache values are only stored in memory and are removed after 30 minutes. The use of this channel type is optional.

8. Data Location

For many customers the location through which data is passed is important to understand. Pusher products are covered by public clusters in 9 locations. Dedicated clusters are also provided on request to some enterprise customers.

End clients of Pusher services can theoretically be located anywhere in the world. When a message is sent to a client subscribed to a channel Pusher is not aware of the geographical location of that recipient.

If data publishing to your app is required to be restricted to specific country borders please consider the cluster chosen when creating your app. Customers who do not wish to publish data to Pusher services outside of the US, for example, should ensure that they are using a US cluster. More guidance is available in our documentation.

9. Encryption

All data passed through Pusher is encrypted. Further, when using our end-to-end encrypted channels feature, Pusher is unable to read the content of the data field. Customers can use E2EE channels to further secure the data passed through us in the data field.

10. Legal

To see General Legal Terms and Conditions, including the Product Specific Terms and the Data Processing Annex, for any MessageBird services (and affiliates) please visit the MessageBird legal pages.

11. Vulnerabilities

Security researchers who have found bugs on our platform are encouraged to report their findings on https://hackerone.com/messagebird and may be eligible for a reward in the case of valid vulnerabilities.

Should you find a vulnerability please follow the below guidance on response and reporting:

  1. Ensure the vulnerability relates directly to Pusher or an official library. Although we will try to help, we cannot be responsible for issues that arise in libraries written by third-party developers and not endorsed by Pusher. Questions regarding third-party libraries are best suited to individual library authors.
  2. Disclose the vulnerability safely and discreetly. If you find a vulnerability please get in touch and report it to us quickly and avoid making details of the vulnerability public.
  3. Don’t exploit the vulnerability to negatively affect other users. If you’ve discovered a vulnerability that could negatively impact other users, please report it to us immediately and avoid testing it on anyone else.
  4. Provide as much information as possible. The more information you can provide our team, the easier it will be to verify the validity of a security report. Screenshots, video recordings and detailed steps to reproduce your experience tend to be the best ways of conveying the vulnerability.

If the above points apply, please send an email directly to [email protected].

Any reward offered does not apply to products which are currently in beta release. Learn more.