Perdoo is served 100% over https. All data sent to or from Perdoo is encrypted in transit using 256 bit encryption, using SHA-256 with RSA Encryption and SHA-256 ECDSA as the key exchange mechanism. Our API and application endpoints are TLS/SSL only and score an “A” rating on SSL Labs’ tests. In addition, all connections from our application servers to our databases are TLS encrypted.
All databases used by Perdoo are encrypted at rest, meaning that we also encrypt the database files on the hard disks themselves. Data encryption is deployed using industry standard encryption and best practices for the frameworks we use.
Credit card safety
As a paying Perdoo customer, we do not store any of your card information on our servers. We use Stripe and ChargeBee to handle this, both companies dedicated to storing your sensitive data on PCI-Compliant servers.
We have two-factor authentication (2FA) and strong password policies for all services that our employees use. These include Slack, Intercom, AWS, Heroku, GitHub, Google. We also encrypt the hard drives on all the laptops used within Perdoo by our employees.
There is only one employee with access to the production databases: Our CTO. This is purely for Engineering purposes and access times are kept as low as possible.
Once a year we work with a well-regarded third-party auditor to check our systems for security vulnerabilities of any kind.
We use services like Papertrail and Rollbar to provide an audit trail over our infrastructure and the Perdoo application. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.
All customer data is stored in AWS data centres Ireland, so it never leaves Europe.
We store our customer data in multi-tenant databases. Generally speaking, we do not have individual databases for each customer, although we do offer this service to some of our enterprise clients. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customer’s data.