// Trust & Security Report

    Pusher Ltd. (a Bird company, formerly MessageBird) logo

    Pusher Ltd. (a Bird company, formerly MessageBird)

    Real-time developer APIs: Pusher Channels (bi-directional pub/sub messaging) and Pusher Beams (push notifications for iOS and Android). Operated under Bird (formerly MessageBird) since the November 2020 acquisition.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001
    HELD

    Pusher infrastructure and the products associated are ISO/IEC 27001:2013 certified. Our security program, management system, controls and the implementation of those are audited at least twice per year by an independent and qualified third party, evidenced by the valid ISO27001:2013 certificate.

    Verify on pusher.com
    GDPR (posture)
    HELD

    MessageBird conducts its business in accordance with all applicable laws and regulations, including General Data Protection Regulation (GDPR). A Data Processing Annex is available on the MessageBird legal pages.

    Verify on pusher.com
    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    Bird security overview coverage table explicitly shows 'Mobile Push Beams & Channels (Pusher)' does NOT have SOC 2 Type I coverage, unlike most other Bird services (SMS, Conversation Channels, etc.).

    source: docs.bird.com
    SOC 2 Type II
    NOT CONFIRMED

    Bird security overview coverage table explicitly shows 'Mobile Push Beams & Channels (Pusher)' does NOT have SOC 2 Type II coverage.

    source: docs.bird.com
    HIPAA
    NOT CONFIRMED

    Pusher does not currently sign Business Associate Agreements with customers. Pusher claims the HIPAA conduit exception: 'Pusher Channels is a mere conduit... it does not store the data field of triggered events.' No BAA is offered and no formal HIPAA certification exists.

    source: docs.bird.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification or scoping in any Pusher or Bird security documentation reviewed.

    source: pusher.com
    CSA STAR (certification)
    NOT CONFIRMED

    A completed Consensus Assessments Initiative Questionnaire (CAIQ) is available on request as part of the Compliance Assessment package. This is a self-assessment artifact, not a formal CSA STAR Level 1 or Level 2 certification.

    source: pusher.com
    ISO/IEC 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 (cloud security controls) certification in any Pusher or Bird security documentation reviewed.

    source: pusher.com
    ISO/IEC 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 (PII in public cloud) certification in any Pusher or Bird security documentation reviewed.

    source: pusher.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 AI governance certification. Pusher is a transport/messaging layer and does not present AI features.

    source: pusher.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization in any Pusher or Bird security documentation reviewed.

    source: pusher.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    9 public global cluster locations (includes US and EU). Dedicated clusters available on request for enterprise customers. Customers should select the appropriate regional cluster to control data routing. Pusher does not track the geographic location of end-client message recipients.

    Bird privacy policy explicitly states: 'No personal data or interactions are used to train or improve LLM service provider models.' Pusher's core transport architecture makes customer-data training a non-issue in practice: data passed through Pusher APIs is ephemeral and not stored, except Cache Channels where values are held in memory only for up to 30 minutes.

    // Security controls

    Encryption in transit

    All data passed through Pusher is encrypted in transit. End-to-end encryption (E2EE) channels are also available, preventing Pusher from reading the content of the data field.

    pusher.com

    Encryption at rest

    Data through Pusher APIs is ephemeral and not stored (except Cache Channels: in-memory only, 30-minute max). No explicit at-rest encryption statement because persistent storage is not used for message content.

    pusher.com

    Penetration testing

    Penetration test attestation letters available under NDA for enterprise customers. System is audited at least twice per year by an independent third party.

    pusher.com

    Vulnerability disclosure / bug bounty

    HackerOne program via https://hackerone.com/messagebird. Researchers eligible for rewards on valid vulnerabilities.

    pusher.com

    Monitoring

    Platform monitored 24x7 by automated systems with a dedicated operations team. Status at status.pusher.com.

    pusher.com

    Security reviews

    Full security reviews only available to Enterprise plan customers with a security engagement included in their contract. CAIQ (261 questions, 17 domains) available on request for all.

    pusher.com

    NDA-gated documentation

    Penetration test attestation letters require a formal NDA. The Compliance Assessment package (Security Overview, ISO 27001 certificate, Statement of Applicability, CAIQ) is available on request.

    pusher.com

    // Products & data scope

    Pusher ChannelsReal-time pub/sub messaging API

    data: Message content in the 'data' field is ephemeral (not stored). With E2EE channels Pusher cannot read content. Metadata (channel names, event names, connection counts) may be retained for billing and diagnostics. Cache Channels store the latest value in memory for up to 30 minutes.

    ISO 27001 covered. SOC 2 not covered. No BAA for HIPAA; conduit exception applies with E2EE. Enterprise: dedicated clusters and security reviews available.

    Pusher BeamsPush notifications API (iOS and Android)

    data: Notification payloads and device tokens processed for delivery. Ephemeral by nature. For HIPAA: use opaque identifiers rather than PHI in notification payloads.

    ISO 27001 covered. SOC 2 not covered. No BAA for HIPAA.

    // What to watch

    • PARENT-CERT AMBIGUITY: The ISO 27001 certificate is held by Bird/MessageBird (the parent entity), not by Pusher Ltd. independently. Bird's security matrix explicitly lists Pusher products as covered, and Pusher's own security page asserts it, but the actual certificate scope can only be confirmed on request. Enterprise procurement teams should obtain the certificate and Statement of Applicability.
    • ISO VERSION MISMATCH: Pusher's security page (pusher.com/security/) still references ISO/IEC 27001:2013, while Bird's current security documentation references ISO/IEC 27001:2022 for its products. Which version currently applies to Pusher and whether the upgrade to :2022 covers Pusher products should be confirmed with the vendor.
    • SOC 2 EXPLICITLY ABSENT: Pusher Channels and Beams are the only major Bird services with NO SOC 2 coverage (Type I or Type II). Unlike SMS, CRM, and Email services in the Bird portfolio, Pusher products are explicitly excluded from SOC 2 scope. Enterprise buyers with SOC 2 requirements should note this gap.
    • HIPAA: NO BAA AVAILABLE. Pusher relies on the HIPAA conduit exception and does not sign Business Associate Agreements. Covered entities with healthcare data must validate that the conduit exception applies to their specific use case and should not assume Pusher can be a HIPAA-compliant business associate.
    • BRAND TRANSITION: MessageBird rebranded as Bird in early 2024. Pusher's own site and some documentation still reference MessageBird. Legal terms, privacy policy, and DPA now sit under bird.com. Buyers doing due diligence should treat bird.com/legal as the authoritative source for Pusher legal documents.

    // At a glance

    Pricing model

    Freemium with usage-based paid tiers (per-connection and per-message volume). Enterprise plans with dedicated clusters and SLAs available.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pusher Ltd. (a Bird company, formerly MessageBird)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pusher.com

    > Browse all vendor trust reports