At Punchlist, we take data security seriously. We are dedicated to ensuring that your data remains secure and private. You can trust us with your projects and feedback because our team is devoted to stopping any unauthorized access of your account.

Secure authentication

We support single sign-on with Google SSO and Webflow.

To ensure superior security for all our users, we offer two-factor authentication functionality at the personal account level. We also offer session management so that users can see other locations and devices that are logged into their Punchlist account and log out remotely at any time.

Best-in-class security

Punchlist safeguards your data with the help of Amazon Web Services (AWS). Our cloud hosting provider uses fortified facilities and protocols to ensure total protection for everything you upload onto our platform. For more details, see

Data integrity

In order to help prevent data loss, Punchlist stores all data on fault-tolerant systems. Data are also regularly and automatically backed up on AWS servers.

Punchlist regularly backs up production data and encrypts all backups and databases.


Punchlist keeps our systems safe 24/7 with a proactive combination of security, monitoring and alerting. Our engineering team is always on the lookout to make sure nothing slips past them!


We  maintain separation between development/staging and production environments and other best practices to ensure proper governance and control.

We are proud to announce that we have achieved SOC2 Type I compliance, certifying our commitment and system requirements in accordance with the stringent security guidelines of SOC 2. All Enterprise subscribers can access a copy of this verification report upon request.

Payment safety

Punchlist ensures its customers’ safety by leveraging the advanced payment technology of Stripe. This allows for secured payments as Punchlist never needs to store or process any credit card information, providing a hassle-free and secure experience.

Software security

Despite taking extra precautions to ensure our products are secure, we understand that nothing can ever be completely risk-free.

We don’t make changes to code or servers in production. We aim to treat both our software and infrastructure configuration as code, meaning that all changes go through formal code review and automated testing.

Should you uncover anything potentially compromising in one of our systems or software packages however - please don't hesitate to get in touch with us! Unfortunately rewards for such discoveries are not offered at this time.

Latest update: February 3, 2023