Security
Protecting assessment evidence.
2Prune applies layered controls to access, data handling, assessment sessions, and operational monitoring.
Access controls
Customer workspaces use authenticated access and organization-scoped authorization. Participant sessions use time-bound assessment links and enforce session state such as not started, in progress, submitted, expired, or revoked.
Data boundaries
Assessment records, submissions, messages, evidence, and reports are scoped to the relevant customer and assessment. Sensitive server operations use separate privileged credentials.
Operational safeguards
2Prune records key workspace and submission events, validates access before protected operations, and uses verification states where assessment evidence is stored or processed asynchronously.
Incident response
2Prune maintains processes to assess suspected incidents, preserve relevant evidence, contain exposure, restore service, and support legally required customer or regulator notifications. Security reports are handled as confidential operational matters.
Responsible disclosure
If you believe you found a vulnerability, report it privately. Include clear reproduction steps and avoid accessing, changing, or retaining data that does not belong to you.
Reporting guidance
Do not include live credentials, participant submissions, or confidential customer materials in an initial report. We will coordinate a secure way to share sensitive details if needed.
Customer responsibilities
Customers must manage authorized users, protect credentials and exported data, configure assessments appropriately, remove access that is no longer needed, and notify 2Prune promptly of suspected compromise. No security program eliminates all risk.
Assurance statements
This page describes current practices and is not a certification, warranty, or guarantee. 2Prune does not claim an audit or certification unless it is expressly listed here with its scope and current report period.