Punchframe
PricingSign in

🔒 Trust

Security at Punchframe

The infrastructure, encryption, and process choices that protect your data and your guests' photos.

Infrastructure

Punchframe runs on Google Cloud Platform via Firebase App Hosting. Authentication, database, file storage, and analytics are all Firebase services. Google Cloud is ISO/IEC 27001, 27017, and 27018 certified and SOC 1/2/3 audited.

Encryption

  • In transit: All traffic between your browser, our servers, and Firebase services is encrypted with HTTPS / TLS 1.2+.
  • At rest: Firestore data and Cloud Storage objects are encrypted at rest by default using AES-256.

Authentication

Punchframe uses Google Sign-In exclusively. We never see, store, or handle your password. Your account is protected by whatever 2-factor authentication you have configured on your Google account.

Payment data

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified service provider. Card numbers, CVCs, and full bank details never touch our servers. We receive only a Stripe customer ID and your invoice metadata.

Photo access

Photos uploaded for an event are accessible only:

  • To the operator who owns the event
  • To guests with the event’s unique URL/QR code, during the event’s unlock window (typically event start through 18 hours after)

Firestore Security Rules and Cloud Storage Security Rules enforce these boundaries at the database level — not just in application code.

Data retention & deletion

When you delete an event, its photos and metadata are removed from Firestore immediately and from Cloud Storage within 30 days. When you delete your account, all associated event data is removed within 30 days (excluding billing records we are legally required to retain).

Reporting a vulnerability

If you discover a security issue, please email hello@innerpi.comwith “Security report” in the subject line. Please give us a reasonable opportunity to investigate and remediate before public disclosure. We don’t currently run a paid bug bounty but we’ll credit responsible researchers in our changelog.

Subprocessors

The third-party services we use to deliver Punchframe:

  • Google / Firebase — hosting, auth, database, storage, analytics
  • Stripe — payment processing

See our Privacy Policy for details on what each receives.

Status & incidents

We’ll communicate major incidents and planned maintenance via email to active subscribers. For urgent event-day issues, email us directly.

v0.1.0