Security Information

Our founder-led engineering team has over a decade of prior experience securely and durably managing petabytes of highly confidential data for some of the world's biggest companies. Here are some ways we keep your data secure at Punch.

Financial Security

Your credit card and billing information is only stored securely via PCI-compliant industry-leading payment services.

Password Security

Punch's preference is to establish account authorization using OAuth. OAuth is an industry standard for authorizing secure delegated access to external apps and service providers. When connecting Punch via OAuth, we never receive or store your password and you can revoke our access at any time.

For instances where OAuth authorization is not used, Punch allows you to connect using a traditional username and password system. In these cases, Punch uses encryption to securely store a representation of your password.

You are responsible to choose secure passwords and to keep them safe. Punch cannot be responsible for data that is compromised due to an insecure or stolen user password. If using OAuth to authenticate, those underlying passwords must also be kept secure by you.

System and Network Security

We take the following steps to keep your data secure at rest and as it transits networks:

  • Partnered with one of the industry's most trusted infrastructure providers, Google Cloud, to secure and store your data.
  • Principle of Least Privilege: Systems and Employees are only granted enough access to perform the required tasks.
  • Modern Linux operating systems, conservative firewall rules and security configuration.
  • Encryption of data at rest.
  • Promptly patch critical issues by following industry security lists.

Uptime and Durability

In addition to security, it's critical to be able to access your data and services you rely on at all times. We do the following to keep Punch accessible to you at all times:

  • Cloud service platforms operating on diverse networks.
  • ComingSoon Third-party monitoring services track Punch's availability across the planet.
  • ComingSoon On-call engineers are automatically paged for any customer-facing outage.
  • ComingSoon Stored data is replicated to multiple servers for service performance and availability.
  • Data backups are performed daily and retained for a period of 30 days for disaster recovery.

ComingSoon Our service status page is available at

Operational Security

Our technical team is governed by a comprehensive Security Trust Policy based on industry best practices. We will only access your account with your permission to troubleshoot technical or support issues. Punch staff will never ask you for a password.

  • ComingSoon All Punch team members sign on to adhere to our Security Trust Policy with our Users
  • All staff computers run with full-disk encryption and strong passwords.
  • Every Punch employee is recommended to use 1Password for secure password creation and storage.

Responsible Disclosure

If you are a security researcher or you believe you have encountered a problem in Punch's security, please review the following.

Please report any security concerns to If you want to send an encrypted message, please request our public key.

We ask you provide us with a reasonable amount of time to address reports before publishing security-related information.

You are legally restricted from conducting any security research that could result in the destruction of data, interruption or degradation of service. This includes the use of automated tools or scanners: they are likely to cause your IP address to be banned from our network.