// Trust & Security Report

    Pulley, Inc. logo

    Pulley, Inc.

    Cap table and equity management platform for founders and finance teams (409A valuations, SAFEs/fundraising modeling, ASC 718/GAAP-IFRS reporting, equity liquidity via Nasdaq Private Market). Single core product with Startup, Growth, and Enterprise pricing tiers rather than distinct sub-products.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Pulley is SOC 2 Type II certified... audit was performed by Insight Assurance.

    Verify on pulley.com
    GDPR (compliance posture, not a certification)
    HELD

    "fully GDPR-compliant" (security page); DPA covers "Customer Personal Data may be transferred from the EEA, the United Kingdom, or Switzerland to the United States or other countries" governed by Standard Contractual Clauses (Module Two and Module Three).

    Verify on pulley.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    No evidence of a separate Type I report; vendor cites only the Type II audit by Insight Assurance.

    source: pulley.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on pulley.com; the security page cites only SOC 2 Type II and does not mention ISO 27001.

    source: pulley.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance; Pulley is a cap table/equity platform and does not process health data, and no HIPAA claim appears on its site.

    source: pulley.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification; payment processing is handled via third-party processors listed generically as subprocessors in the privacy policy.

    source: pulley.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of ISO 27017, 27018, or 27701 certification anywhere on pulley.com.

    source: pulley.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification; Pulley's AI use is limited to document onboarding assistance and is not described with any AI-governance certification.

    source: pulley.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification on pulley.com.

    source: pulley.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; Pulley targets startups/finance teams, not US federal agencies.

    source: pulley.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    No specific data-center region disclosed on pulley.com; company is US-based (Oakland, CA) and the DPA references cross-border transfers from the EEA/UK/Switzerland to the US governed by SCCs, implying US-hosted infrastructure.

    No statement on pulley.com's privacy policy, terms, or security page addresses whether customer cap table/equity data is used to train AI/ML models. Third-party listings mention AI-assisted document upload/organization during onboarding, but this is not confirmed on a vendor-owned page and no opt-out or training disclosure was found. Recorded as unknown (null) rather than assumed either way.

    // Security controls

    Encryption in transit

    TLS 1.2+ (per DPA); described generally on security page as "end-to-end encryption"

    pulley.com

    Encryption at rest

    "industry-standard encryption for production data and backups" (per DPA)

    pulley.com

    Access control

    Role-based access control, strict authentication controls, and comprehensive audit logging

    pulley.com

    Penetration testing

    "regular penetration testing" of systems and networks (frequency not disclosed)

    pulley.com

    Breach notification

    DPA commits to notify customers "without undue delay" of a personal data breach

    pulley.com

    Subprocessor transparency

    Maintains a subprocessor list and gives at least 10 days' notice before adding/replacing a subprocessor for customers who opt into notifications

    pulley.com

    Data monetization stance

    "You own your data. Pulley never monetizes your data"

    pulley.com

    // Products & data scope

    Pulley Cap Table Management (Startup / Growth / Enterprise tiers)Equity and cap table management

    data: Cap table records, stakeholder PII, financing documents (SAFEs, convertible notes), 409A valuation data, board consents

    Single platform scaled by stakeholder count ($1,200/yr for 25 stakeholders on Startup; $3,500/yr for 40 on Growth; custom pricing on Enterprise). Same security/compliance posture applies across tiers; no evidence of tier-gated security features.

    // What to watch

    • No downloadable SOC 2 report, audit date, or report period disclosed publicly, only a marketing claim of 'SOC 2 Type II certified' by Insight Assurance repeated consistently across three vendor pages; could not independently verify report scope or freshness.
    • No dedicated third-party-hosted trust center (e.g. Vanta, SafeBase, Drata) was found; pulley.com/security functions as the vendor's own trust/security page.
    • AI training posture on customer data is undocumented on any vendor-owned page; recorded as unknown rather than assumed compliant.

    // At a glance

    Pricing model

    Per-stakeholder annual subscription (Startup $1,200/yr up to 25 stakeholders, Growth $3,500/yr up to 40 stakeholders, Enterprise custom)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pulley, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pulley.com

    > Browse all vendor trust reports