Data Security

1. Overview

The security of your data is fundamental to everything we build at Performalise. This page describes our technical and organisational security measures, our obligations to you, and your responsibilities as a customer. This Security Policy is incorporated by reference into our Terms of Service and Data Processing Agreement.

Our security programme is aligned with the ISO/IEC 27001:2013 framework for information security management.

For questions relating to data protection and privacy, please see our Privacy Policy and Data Processing Agreement.

2. Infrastructure & hosting

All Performalise data and platform services are hosted on Amazon Web Services (AWS), utilising multiple availability zones to provide redundancy and resilience. AWS maintains ISO 27001, SOC 1/2/3, and PCI-DSS certifications.

• Multi-AZ deployment across AWS data centres;
• Network isolation using Virtual Private Clouds (VPCs) with strict security group rules;
• Web Application Firewall (WAF) protecting against OWASP Top 10 attack vectors;
• DDoS protection via AWS Shield;
• Automated vulnerability scanning of all infrastructure components.

3. Encryption

3.1 Data in transit

All data transmitted between your browser or API client and Performalise is encrypted using TLS 1.3, providing:

• FIPS 140-3 validated cryptographic algorithms;
• AEAD cipher suites: AES-256-GCM or ChaCha20-Poly1305;
• Perfect Forward Secrecy (PFS) — unique session keys that cannot be decrypted retrospectively.

TLS 1.0 and 1.1 are disabled. Our TLS configuration is graded A+ by Qualys SSL Labs.

3.2 Data at rest

All stored data — including Customer Data, database backups, and file storage — is encrypted at rest using AES-256 via AWS Key Management Service (KMS) with regular automated key rotation.

4. Access controls

• Customer data isolation: each customer's data is logically separated — no customer can access another's data;
• Internal access: employee access to production systems requires MFA and is granted on a strict need-to-know basis;
• Role-based access control (RBAC): customers can assign roles (admin, team member, viewer) within the Platform;
• Audit logging: all access to customer data environments is logged and regularly reviewed;
• Contractor access: third-party contractors are subject to background checks and confidentiality obligations.

5. Security audits & testing

• Annual penetration tests covering web application, API, and infrastructure layers (OWASP Top 10 scope);
• Regular automated vulnerability scans against known CVE databases;
• Security code reviews for significant new features or architectural changes;
• Dependency scanning to identify and remediate vulnerable open-source components.

Penetration test executive summaries are available to enterprise customers under NDA upon written request to [email protected].

6. Incident response

We maintain a documented Security Incident Response Plan (SIRP). In the event of a confirmed Personal Data Breach:

• We will notify affected customers without undue delay and within 72 hours of confirming the breach, in compliance with UK GDPR Article 33;
• Notification will include: the nature of the breach, categories and approximate numbers of data subjects affected, likely consequences, and measures taken;
• We will notify the relevant supervisory authority where required by applicable law;
• We will cooperate fully with any customer's incident investigation.

To report a suspected security incident: [email protected]

7. Availability & backups

Uptime target: We aim for 99.8% monthly availability, excluding scheduled maintenance windows (10:00 pm to 2:00 am UK time on Business Days) and events beyond our reasonable control. This is a target, not a contractual guarantee unless expressly stated in your Order Form.

Achieved uptime: 99.88% over the last 12 months.

• Automated daily snapshots of all customer databases;
• Point-in-time recovery (PITR) enabled — restoration to any point within the last 35 days;
• Backup data encrypted at rest and stored in a separate AWS region;
• Backup integrity tested quarterly through restoration drills.

On termination, Customer Data is available for export for 30 days, after which it is securely deleted. Written confirmation of deletion is available on request.

8. Your security obligations

• Ensure Authorised Users keep their credentials confidential and do not share them;
• Enable and enforce MFA for your Authorised Users where available;
• Configure role-based access permissions appropriately;
• Promptly notify us at [email protected] if you suspect any unauthorised access;
• Ensure your own network and devices meet reasonable security standards;
• Not attempt to probe or test the vulnerability of the Platform without our prior written consent.

9. Certifications & compliance

10. Vulnerability disclosure

We operate a responsible disclosure programme. If you discover a potential security vulnerability:

• Report it privately via [email protected] with subject line "Security Vulnerability";
• Include a description of the issue, steps to reproduce, and your assessment of impact;
• Do not publicly disclose before we have had a reasonable opportunity to investigate — we aim to acknowledge within 2 Business Days and resolve critical issues within 14 days.

11. Governing law

This Data Security Policy is governed by and construed in accordance with the laws of England and Wales. It forms part of the Terms of Service between Performalise FZ LLC and its customers. Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Contact

Performalise FZ LLC
Email: [email protected]
Platform: www.performalise.com