Security Policy

Performy's primary priority is the security of customer data. This document details our practices to ensure the Confidentiality, Integrity, and Availability of information.

1. Infrastructure and Certifications

All Performy infrastructure is hosted on Amazon Web Services (AWS), which maintains leading security certifications (SOC 1/2/3, ISO 27001, ISO 27018) for the underlying cloud infrastructure. Performy runs on this certified infrastructure and follows industry security best practices. Payments are handled externally by Stripe (PCI-DSS compliant); Performy never stores card data.

2. Storage and Hosting (Ireland)

• •Data Location: To ensure regulatory compliance and data sovereignty, our primary database resides in the EU Region (Ireland, eu-west-1).
• •Resilience: We perform automated database backups with a 14-day retention period, complemented by on-demand manual snapshots, all encrypted in eu-west-1. Customer content deleted on account termination is permanently removed, and any residual copies disappear within the 14-day backup retention window (within 44 days at most).

3. Encryption and Connectivity

• •In Transit: All data is encrypted using RSA / SHA-256 mechanisms.
• •Secure Protocols: API endpoints are accessible exclusively via TLS/SSL.
• •Certificates: TLS certificates managed via AWS Certificate Manager (ACM), with automatic renewal (TLS 1.2/1.3).

4. Monitoring and Authentication

• •Active Monitoring: Amazon CloudWatch for infrastructure health and real-time monitoring, with automated alarms.
• •Access Control: Access to customer data is restricted to authorized personnel through granular, least-privilege permission levels. Administrative access to our cloud infrastructure is protected with Multi-Factor Authentication (MFA).
• •Confidentiality: All employees sign strict Non-Disclosure Agreements (NDAs).
• •Availability: Service availability is continuously monitored with automated CloudWatch alarms and documented recovery procedures.

5. Bring Your Own Key (BYOK)

For customers with elevated privacy requirements, Performy can operate with your own AI credentials (OpenAI or Google Gemini).

• •Your provider, your model: when BYOK is enabled, all AI analysis authenticates with your account, so the content of your calls does not transit through Performy's AI credentials. You choose the provider and the model.
• •Encrypted credentials: your API Key is stored encrypted (Fernet) and is never accessible in plain text.
• •Note: demo and free plans use Performy's AI key by design. As Whisper is OpenAI-only, transcription for a Gemini-only account uses Performy's key.