Persoft
Trust Center

Security & Compliance

Transparency in our security practices, compliance roadmap and data protection commitments. We practice what we recommend to customers.

Security posture

Persoft's internal operations follow the same security, SRE and compliance standards we implement in client environments.

Data handling

Customer data is encrypted in transit and at rest, with access granted on a strict least-privilege basis.

Hosting & infrastructure

Infrastructure is hosted on SOC 2 compliant cloud providers in European regions with redundancy and DR capabilities.

Access control

Multi-factor authentication (MFA) for all team members, role-based access control (RBAC) and regular access reviews.

Encryption

TLS 1.3 for data in transit and AES-256 for data at rest, with secure key management and encrypted backups.

Compliance status

Our compliance journey and current certifications.

ISO 27001

In progress
Expected: Q3 2025

Implementing an ISMS aligned with ISO 27001:2022.

SOC 2 Type II

Roadmap
Target: Q4 2025

Readiness activities underway with planned 12‑month observation.

GDPR

Compliant
Active compliance

European operations with GDPR‑aligned data protection practices.

Technical controls

Comprehensive security controls across our infrastructure and operations.

Encryption

TLS 1.3 in transit, AES-256 at rest.

Backups

Automated daily backups with defined retention and regular restore tests.

Vulnerability management

Regular security scanning and patching within SLA.

Monitoring & logging

Centralized logging, security event monitoring and alerting with SLO dashboards.

Incident response

Documented IR plan and on‑call coverage with blameless post‑incident reviews.

Business continuity

Tested disaster recovery procedures with explicit RTO/RPO objectives.

Responsible disclosure

Security contact

security@persoft.io

We acknowledge reports within 24 hours and provide an initial assessment within 72 hours. PGP key available on request.

In scope

  • Web applications and APIs
  • Infrastructure vulnerabilities
  • Auth issues
  • Data leakage

Out of scope

  • Social engineering
  • DoS / DDoS
  • Physical security

Data processing & privacy

Data Processing Agreement

Standard DPA terms are available for customers that require a formal data processing agreement, aligned with our documented control set and audit calendar.

Data residency & subprocessors

Customer data is processed primarily in European data centers with a small, vetted set of subprocessors (major cloud and collaboration providers).

Questions about our security practices?

We're happy to discuss our security posture, controls, SRE practices and compliance programs in more detail.

Contact our security teamView services