In one paragraph
OAuth tokens are encrypted at rest with Fernet symmetric encryption. We pull signal metadata from integrated tools — pull request titles, ticket statuses, channel activity counts — and never read message bodies, email contents, or document text. Reviews are generated by Anthropic Claude under terms that preclude training on your data. Application servers and the database sit in Europe. Customer accounts can require SSO via SAML 2.0; admin accounts use 2FA plus trusted-device sessions. SOC 2 Type I audit is the next milestone on the compliance roadmap.
Encryption
OAuth refresh and access tokens — for every connected integration — are encrypted at rest using Fernet (AES-128 in CBC mode with HMAC-SHA256). The symmetric key lives only on the application server, sourced from a secret manager at boot. Tokens are decrypted in memory at request time and never written to logs.
All traffic to the marketing site, the customer app, and the admin console is served over TLS 1.2+ with HSTS enforced (2-year max-age, includeSubDomains).
What we read, what we don't
We read: account data (name, work email, organization); signal metadata from connected integrations — PR titles and merge status, ticket keys and status transitions, channel activity counts and timestamps, email headers (subject/from/to/date), calendar event titles, CRM deal stage changes, OKR/goal status.
We don't read: message bodies, email contents, document text, calendar event descriptions, or attachment contents. The integrations are scoped read-only and to the narrowest metadata surface that supports drafting reviews.
One opt-in exception: customer-facing call transcripts (Aircall, Teams, Zoom) for roles where the conversation IS the work — sales, customer-success, advisors. Requires an explicit consent attestation by an org admin. Internal team meetings are filtered out by attendee domain. See privacy for the full opt-in flow.
Authentication & access
Customer accounts can require SAML 2.0 single sign-on — generic SP integration, per-org IdP config, just-in-time provisioning on email-domain match. Operator (admin) accounts are not exposed via SSO; admin access requires password + TOTP 2FA, recovery codes, and can use 30-day trusted-device cookies that are individually revokable.
Inside the app, every org-scoped resource is gated by a same-org assertion at the API layer; admin impersonation is logged with the impersonating admin's ID in a cross-referenced audit table.
AI processing
Performance review drafts are generated by Anthropic Claude. Anthropic's API terms preclude training models on customer data sent via the API. Each generation request sends only the signals relevant to the active review cycle — no historical context across cycles, no cross-tenant data, and no PII beyond what's needed to identify the employee.
Where your data lives
Application servers and the primary database are hosted in Europe. Transactional email is delivered via Resend (US). Backups are encrypted and rotated every 30 days.
Sub-processors
We use the following sub-processors to deliver the service. Each handles a narrow slice of data under contractual data-protection obligations.
- Anthropic — Claude API for review generation. No training on customer data.
- Resend — transactional email (account, verification, magic-link review delivery).
- Stripe — billing and Customer Portal. We never store card numbers; tokens only.
- Sentry — error monitoring with PII scrubbing enabled.
- PostHog — first-party analytics on the marketing site (pageviews + CTA clicks). No cross-site tracking.
- European cloud provider — application + database hosting (specific vendor available on request via legal@perfcopilot.com).
SOC 2 status
We're documenting our controls now and the SOC 2 Type I audit is targeted to kick off later in 2026. Type II will follow once observation-period evidence is collected. We'll update this page when the audit completes, and the report will be available under NDA.
In the meantime: if you're going through procurement and need something in writing about a specific control, email legal@perfcopilot.com and we'll send a short controls memo.
Data Processing Agreement (DPA)
The plain-language version of our DPA sits below. The long-form PDF, executable for procurement, is available on request via legal@perfcopilot.com.
- Roles. You are the data controller; we are the data processor for the data you connect through integrations.
- Processing scope. We process the metadata listed in "What we read, what we don't" solely to deliver review drafts and the dashboard. No other processing without your written instruction.
- Sub-processors. The list above. We'll notify you in-app at least 30 days before adding a new sub-processor; you can object in writing.
- Security measures. Encryption at rest (Fernet), TLS 1.2+ in transit, role-based access inside the app, 2FA on operator accounts, encrypted 30-day backups, audit logging.
- Breach notification. If we become aware of a personal-data breach, we'll notify you without undue delay and no later than 72 hours after discovery, with what we know and what we're doing.
- Data deletion. On account deletion we permanently remove your organization's data within 30 days; backups containing the data expire on their normal rotation schedule.
- International transfers. Customer data is processed in the EU; the only cross-border transfer is transactional email delivery via Resend (US), which operates under Standard Contractual Clauses (SCCs).
- Sub-processor liability. We remain responsible for sub-processors' compliance with the equivalent of these terms.
Incident response
We monitor errors and authentication anomalies in real time (failed logins, password-reset abuse, suspicious 2FA patterns) with paging alerts. If we confirm a security incident affecting customer data, we contact affected org admins directly within 72 hours, alongside a public status note for material incidents.
Reporting a vulnerability
If you've found a security issue, please email security@perfcopilot.com with steps to reproduce. We acknowledge within one business day, investigate in good faith, and ask that you not publicly disclose until we've had a reasonable chance to fix and notify affected customers.
Contact
Security / compliance: security@perfcopilot.com. Legal / DPA: legal@perfcopilot.com. Anything else: /contact.
This page is provided in good faith and reflects controls as of the date below. It is not a substitute for the long-form DPA or for a formal SOC 2 report. We recommend lawyer review before relying on it for compliance or contract decisions. Last updated: 2026-05-20.