How Juice Plus+ AUNZ used Power Weeks 🎉  Read the Case Study >

Penny Trust Center

Enterprise-grade data protection
Book your demo

SOC 2 -Type 1 Certified

Penny AI is SOC 2 Type-1 certified, including an audit performed by qualified evaluators from an independent third-party auditing firm.

Learn more

Soc2 1 1

World-class security infrastructure

Our security approach focuses on security governance, risk management and compliance. This includes encryption at rest and in transit, network security and server hardening, system monitoring, logging and alerting, and more.
Penny Hyperscale cloud is architected to be resilient against disruptions with redundant infrastructure, processes and automated incident response.
Enterprise level security is provided with multiple authentication methods from OpenID with OAUTH2, to Corporate SSO to legacy system protocols.
A centralized platform built to scale from a hundred to hundreds of thousands of consultants, high volume of customer orders and worldwide reach.


The Penny Enterprise platform is built to the highest security standards. Penny and its data are completely isolated and receive rapidly deployed security updates without customer interaction or service interruption.

Penny Hyperscale cloud – world-class architecture leveraging simultaneously active and redundant systems that allow the overall system to survive outages and remain operational.

Platform Security – holistic security approach is built into Penny operations, encompassing hardware and infrastructure, systems, applications, transmission and storage.

Robust API – highly secure, flexible and robust API enables Penny to connect to any of your existing and future back-office systems.

Security best practices

  1. Secure and reliable infrastructure. Penny uses Amazon Web Services (AWS) for the hosting and production environments. AWS centers are monitored by 24×7 security, biometric scanning, video surveillance and are fully SOC certified.
  2. Separation of machines housing critical data from machines running front end applications
  3. Strict access controls to each data piece defined by both Penny and the client
  4. An audit system which records each transaction built into the core of the product
  5. Physical restriction to machines is only allowed by authorized vendor, not even Penny employees can physically access them

Technical Architecture

How does Penny connect and integrate with my environment?

Diagram of Penny's Techincal Architecture

Illustreation of a woman on her secure computer protected from prying eyes

Data Privacy

Data ownership – Your data belongs 100% to you. Access to customer data is limited to authorized employees.

Data usage – We only use customer and consultant data to provide our service.

Data Encryption – Penny encrypts data at rest and data in transit between devices and networks for all of our customers. Data is encrypted at rest using industry standard AES-256 encryption algorithm

Privacy Policy

Development policy

The Penny development team uses a standardized process to ensure changes are made securely and reliably, with a focus on quality.

  1. All changes begin with a pull request from a local development branch to a QA environment.
  2. A code review is done by a senior developer before any changes are merged into a QA environment.
  3. All changes are tested in QA, and another run of testing in UAT.
  4. After rigorous UAT testing, code is pushed from UAT to production. All code migrations occur across SSL.
  5. Code deployment keeps all software up to date with the latest security patches.

Compliance standards

We are taking every step to ensure our people, processes and technology are compliant with any laws, rules, regulations and standards. For any questions about information and data security, please contact


Penny is committed to helping users understand their rights and obligations under the General Data Protection Regulation (GDPR).


We operate in accordance with data protection policies that are based on privacy principles that underlie the California Privacy Act (CCPA).

SOC 2 Type-1 Certification Completed, Type-2 Certification in Progress

Penny has completed the SOC 2 Type 1 certification and is working towards the Type 2 certification, including an audit performed by qualified evaluators from an independent third-party auditing firm.  

What is a SOC2 report and why is it important?

Service Organization Controls (SOC) is a detailed level of controls-based assurance covering five Trust Services Criteria (security, confidentiality, integrity, availability and privacy). It ensures service providers securely manage the retrieval, storage, processing and transfer of data to protect the interests of both the client’s organization and privacy of their customers.


What Compliance Controls are included in SOC2?


To ensure protection against unauthorized access, internal controls need to mitigate the potential abuse or misuse of the platform, theft or the unauthorized removal of data, and disclosure of personal information.


To ensure the restriction of confidential data, internal controls need to define security and data protection procedures.

Processing Integrity

To assure the intended purpose of a platform is achieved, internal controls need to monitor data processing and quality assurance procedures. The purpose focuses on processing the right data at the right time.


To control the access to a platform as per the contract and/or service level agreement with customers (specifically regarding the minimum acceptable level of performance), internal controls need to monitor performance and availability.


To control the collection and use of personal information, internal controls need to support the protection of personal information from unauthorized access.

How is Penny AI addressing the Compliance Controls?

Policies procedures and guidelines

We take technical, contractual, administrative, and physical security steps designed to protect Personal Information provided to Penny. We document and reinforce data protection in how we conduct our business.

Operational processes

We continue to review and adapt our internal processes to further mitigate any privacy risk.

Third-party risk management

We continually review vendors and integration partners’ security policies and procedures.

Data retention

We have implemented procedures designed to limit the dissemination of Personal Information to only such designated staff as are reasonably necessary to carry out the stated purposes we have communicated to you.

Data residency

Penny App stores its data on servers in the United States and Ireland. Penny relies heavily on Amazon Web Services ( for most of our infrastructure. Other companies which utilize this infrastructure include FDA, Netflix, Adobe, Suncorp and Dow Jones.

Terms & Conditions

We review our Terms and Conditions on a regular basis, providing access to the documentation on our website.

Data breach notifications

We have developed and follow Penny AI incident response policies.

Turn a data-driven, sales enablement platform into your competitive advantage.