// Trust & Security Report
Pulley, Inc.
Cap table and equity management platform for founders and finance teams (409A valuations, SAFEs/fundraising modeling, ASC 718/GAAP-IFRS reporting, equity liquidity via Nasdaq Private Market). Single core product with Startup, Growth, and Enterprise pricing tiers rather than distinct sub-products.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pulley.com“Pulley is SOC 2 Type II certified... audit was performed by Insight Assurance.”
Verify on pulley.com“"fully GDPR-compliant" (security page); DPA covers "Customer Personal Data may be transferred from the EEA, the United Kingdom, or Switzerland to the United States or other countries" governed by Standard Contractual Clauses (Module Two and Module Three).”
> Show 8 unconfirmed / not-held certifications
source: pulley.comNo evidence of a separate Type I report; vendor cites only the Type II audit by Insight Assurance.
source: pulley.comNo public evidence of ISO 27001 certification on pulley.com; the security page cites only SOC 2 Type II and does not mention ISO 27001.
source: pulley.comNo public evidence of HIPAA compliance; Pulley is a cap table/equity platform and does not process health data, and no HIPAA claim appears on its site.
source: pulley.comNo public evidence of PCI DSS certification; payment processing is handled via third-party processors listed generically as subprocessors in the privacy policy.
source: pulley.comNo public evidence of ISO 27017, 27018, or 27701 certification anywhere on pulley.com.
source: pulley.comNo public evidence of ISO 42001 certification; Pulley's AI use is limited to document onboarding assistance and is not described with any AI-governance certification.
source: pulley.comNo public evidence of CSA STAR registration or certification on pulley.com.
source: pulley.comNo public evidence of FedRAMP authorization; Pulley targets startups/finance teams, not US federal agencies.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
No specific data-center region disclosed on pulley.com; company is US-based (Oakland, CA) and the DPA references cross-border transfers from the EEA/UK/Switzerland to the US governed by SCCs, implying US-hosted infrastructure.
No statement on pulley.com's privacy policy, terms, or security page addresses whether customer cap table/equity data is used to train AI/ML models. Third-party listings mention AI-assisted document upload/organization during onboarding, but this is not confirmed on a vendor-owned page and no opt-out or training disclosure was found. Recorded as unknown (null) rather than assumed either way.
// Security controls
Encryption in transit
TLS 1.2+ (per DPA); described generally on security page as "end-to-end encryption"
pulley.comEncryption at rest
"industry-standard encryption for production data and backups" (per DPA)
pulley.comAccess control
Role-based access control, strict authentication controls, and comprehensive audit logging
pulley.comPenetration testing
"regular penetration testing" of systems and networks (frequency not disclosed)
pulley.comBreach notification
DPA commits to notify customers "without undue delay" of a personal data breach
pulley.comSubprocessor transparency
Maintains a subprocessor list and gives at least 10 days' notice before adding/replacing a subprocessor for customers who opt into notifications
pulley.com// Products & data scope
data: Cap table records, stakeholder PII, financing documents (SAFEs, convertible notes), 409A valuation data, board consents
Single platform scaled by stakeholder count ($1,200/yr for 25 stakeholders on Startup; $3,500/yr for 40 on Growth; custom pricing on Enterprise). Same security/compliance posture applies across tiers; no evidence of tier-gated security features.
// What to watch
- No downloadable SOC 2 report, audit date, or report period disclosed publicly, only a marketing claim of 'SOC 2 Type II certified' by Insight Assurance repeated consistently across three vendor pages; could not independently verify report scope or freshness.
- No dedicated third-party-hosted trust center (e.g. Vanta, SafeBase, Drata) was found; pulley.com/security functions as the vendor's own trust/security page.
- AI training posture on customer data is undocumented on any vendor-owned page; recorded as unknown rather than assumed compliant.
// At a glance
Pricing model
Per-stakeholder annual subscription (Startup $1,200/yr up to 25 stakeholders, Growth $3,500/yr up to 40 stakeholders, Enterprise custom)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pulley, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pulley.com