Goal 1 — Multi-factor authentication
MFA is supported on every workspace and is enforced by default for administrative roles. SSO via SAML 2.0 / OIDC is available; we plan to make MFA enforcement on by default for all customers, with admin override.
Goal 2 — Default passwords
The platform does not ship with default credentials. New workspaces force a credential set on first sign-in; service accounts are provisioned with rotation policies.
Goal 3 — Reducing entire vulnerability classes
- Memory-safe languages for application code (TypeScript / Rust where applicable).
- Parameterized queries and ORM-managed database access; SQL injection mitigated at the data layer.
- Strict CSP, HSTS, CSRF tokens, and same-site cookies; XSS mitigated by templating and output encoding.
- Static analysis, secret detection, and dependency scanning in CI on every change.
Goal 4 — Security patches
Critical security patches are deployed within 7 days; high-severity within 30 days; medium within 90 days. Customer-facing security patches are documented in the changelog with the affected version range.
Goal 5 — Vulnerability disclosure policy
We operate a published vulnerability disclosure policy with safe-harbor for good-faith research. See /security/responsible-disclosure and /.well-known/security.txt.
Goal 6 — CVE assignment
Security issues that meet CVE criteria are submitted for CVE ID assignment with accurate severity scoring and impact descriptions, regardless of whether they are externally reported or internally discovered.
Goal 7 — Evidence of intrusions
Customers can obtain audit logs covering authentication, administrative actions, and data-access events. We document log retention and customer access methods on the Security overview page.
Question, request, or follow-up?
Reach the PartsPerk team for clarification, escalation, or to start a related conversation.
PartsPerk LLC · Delaware, United States · Doc /policies/secure-by-design · v1.0