PULLFIRST[THE RECORD]
SECURITY / 01.0PULLFIRST / v1

HOW WE HANDLE
YOUR DATA.

PullFirst serves public government records. We do not collect personal data from your API calls beyond what Stripe needs to bill you. Here is what is actually in place, stated plainly.

02.0INFRASTRUCTURE

Where the record lives.

AHOSTING

Fly.io · Neon · Vercel

The PullFirst API runs on Fly.io. The primary database is PostgreSQL on Neon, us-central. The marketing site and customer dashboard deploy to Vercel.

BTRANSPORT

TLS 1.3, end to end

Every request to the PullFirst API is served over TLS 1.3. Requests to non-TLS endpoints redirect to HTTPS before any payload is read.

CAUTHENTICATION

Hashed API keys

API keys are SHA-256 hashed at rest. Plaintext is shown exactly once at creation and never stored. Per-tier rate limits are enforced at the middleware layer on every request.

03.0DATA HANDLING

What we store. And don't.

WE STORE
  • Customer account record (email, name, Stripe customer ID)
  • API keys (SHA-256 hashed)
  • Rate-limit counters (rolling windows)
  • API key metadata (creation date, last-used timestamp)
  • Request metadata for rate limiting (endpoint, timestamp, status)
WE DO NOT STORE
  • Query contents beyond aggregated counts
  • Contractor lookups attributable to a customer
  • PII beyond the account email
  • Response bodies returned to your requests
  • Request payloads sent to POST endpoints

Request metadata means endpoint path, response code, and timestamp. It does not include query parameters, response bodies, or identifying contractor lookups.

04.0PAYMENTS

Payments go through Stripe.

PullFirst does not touch your card. All payment processing runs through Stripe Checkout and Stripe Customer Portal. We store a Stripe customer ID and subscription status. That is the entire billing surface.

Card numbers, expiry, CVC, and billing address never reach the PullFirst API or database. Refunds and cancellations run through Stripe's hosted portal via your dashboard.

05.0DATA REQUESTS

Access, export, deletion.

Email support@pullfirst.com from the address on the account to request access, export, or deletion of the account record. Handled individually, not on a schedule.

06.0INCIDENTS

If something goes wrong.

STATUS

Best-effort reliability

PullFirst runs on best-effort reliability with no published uptime commitment and no SLA. Email support@pullfirst.com if the API is down.

* PullFirst does not currently hold SOC 2, ISO 27001, or HIPAA attestations.

SECURITY / 07.0

Questions about our security posture?

Send a concrete question. Generic questionnaires get generic answers. Specific ones get specific answers from the same people who ship the platform.

Email Us →Privacy Policy →