Trust and Security Center

We are thrilled to announce that Pinecone has successfully completed our annual ISO 27001:2022 surveillance audit, ensuring our certification remains fully active! This ongoing milestone underscores our unwavering commitment to providing the highest standards of information security for our valued customers year after year. Passing this audit validates that Pinecone continues to uphold and actively manage rigorous, industry-leading security controls to safeguard your data. For complete transparency, you can verify our active certification status using the certificate number via the IAF CertSearch database.

Pinecone is aware of the recent supply chain attack targeting the axios NPM package. Following a comprehensive audit of our infrastructure and dependencies, we have confirmed that Pinecone is not affected. We have successfully deployed monitoring capabilities and detection logic specifically designed to identify these compromised versions. We are actively scanning our environments to prevent any potential impact on our services or customers.

What happened
On April 19, 2026, Vercel disclosed a security incident involving unauthorized access to certain internal Vercel systems.
For more details, see Vercel's official security bulletin

Is Pinecone affected?
No. Pinecone was not directly compromised.
We completed an internal investigation and confirmed:

• The Context.ai OAuth application identified in the breach was never installed or authorized in Pinecone's Google Workspace.
• There is no record of Context.ai in use at Pinecone.
• Vercel has communicated to us that they do not have reason to believe Pinecone credentials or personal data were compromised.

Pinecone's core infrastructure, customer data, and API services were not impacted by this incident.

What we did
Out of an abundance of caution, Pinecone's security team took the following actions:

• Rotated all environment variables associated with our Vercel-hosted projects
• Verified that the malicious OAuth application was not present in our Google Workspace.
• Reviewed Vercel activity logs for any signs of suspicious access.
• Confirmed deployment protection settings across all Vercel projects.

All remediation actions have been completed.

No action is required by Pinecone customers
This incident did not affect Pinecone's services, customer data, or API keys.
We will continue to monitor the situation and will provide updates if any new information warrants further action.

We are proud to announce the successful completion of our 2025 SOC 2 Type II audit, which confirmed that our security, availability, and confidentiality controls operated with zero deviations. This milestone reinforces our commitment to providing a secure and reliable vector database for your production applications. The full report is now available for review in our safety center.

Pinecone is aware of the ongoing Shai-Hulud and Shai-Hulud 2.0 worm campaigns targeting the NPM ecosystem. Following a comprehensive audit of our infrastructure and dependencies, we have confirmed that Pinecone is not affected.

We have successfully deployed monitoring capabilities and detection logic specifically designed to identify this worm. We are actively scanning for compromised packages to prevent any impact on our services or customers.