Security Policy

Overview

Protecting our customer’s data is the most important thing our Engineers do at Perdoo. Due to the nature of the data we store, our users have extremely high expectations when it comes to protecting their data. We understand how important the responsibility of safeguarding this data is to our customers and work hard every day to maintain that trust.

We highly recommend you to also read our Terms & Conditions and Privacy Policy to learn more about our commitment to providing security services.

Security Team

We spend a lot of time finding the best people, especially when it comes to our engineers. Our team includes people who have built highly secure enterprise mobile & web applications at companies ranging from startups to large public companies.

Infrastructure

Perdoo does not run our own routers, load balancers, DNS servers, or physical servers.

Perdoo runs all of its services in the cloud. All of these are hosted on Heroku, which is built on Amazon Web Services (AWS). Both services maintain multiple certifications for their data centers, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website, AWS Compliance website and Heroku security policy.

Encryption

In Transit

Perdoo is served 100% over https. All data sent to or from Perdoo is encrypted in transit using 256 bit encryption, using SHA-256 with RSA Encryption and SHA-256 ECDSA as the key exchange mechanism. Our API and application endpoints are TLS/SSL only and score an “A” rating on SSL Labs’ tests. In addition, all connections from our application servers to our databases are TLS encrypted.

At Rest

All databases used by Perdoo are encrypted at rest, meaning that we also encrypt the database files on the hard disks themselves. Data encryption is deployed using industry standard encryption and best practices for the frameworks we use.

Credit card safety

As a paying Perdoo customer, we do not store any of your card information on our servers. We use Stripe and ChargeBee to handle this, both companies dedicated to storing your sensitive data on PCI-Compliant servers.

Employee access

We have two-factor authentication (2FA) and strong password policies for all services that our employees use. These include Slack, Intercom, AWS, Heroku, GitHub, Google. We also encrypt the hard drives on all the laptops used within Perdoo by our employees.

There is only one employee with access to the production databases: Our CTO. This is purely for Engineering purposes and access times are kept as low as possible.

Security Audits

Once a year we work with a well-regarded third-party auditor to check our systems for security vulnerabilities of any kind.

We use services like Papertrail and Rollbar to provide an audit trail over our infrastructure and the Perdoo application. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.

Data

All customer data is stored in AWS data centres Ireland, so it never leaves Europe.

We store our customer data in multi-tenant databases. Generally speaking, we do not have individual databases for each customer, although we do offer this service to some of our enterprise clients. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customer’s data.