Data protection
- TLS 1.2+ for all data in transit; HSTS preloaded.
- AES-256 at rest for primary databases and backups.
- Tenant-isolated workspaces; cross-tenant access is impossible by design.
- Encrypted backups, offsite, with regular restore drills.
Access control
- Single sign-on (SSO) and multi-factor authentication available on every workspace.
- Role-based permissions following least-privilege.
- Privileged access reviewed quarterly; revocation triggered by HR events.
- All administrative actions are audit-logged with actor, action, and target.
Secure development lifecycle
- Code review required on every change; static analysis, dependency scanning, and secret detection in CI.
- Annual third-party penetration testing on the production stack.
- Bug-bounty / vulnerability disclosure program described at /security/responsible-disclosure.
- Production access via short-lived credentials and bastion paths only.
Incident response
- 24x7 on-call rotation; runbooks for outage, data breach, and account compromise.
- Customer notification on confirmed material incidents within applicable contract / law deadlines.
- Post-incident review with timeline, root cause, and committed fixes.
Compliance and attestations
- NIST SP 800-171 mapped controls; CMMC self-assessment summary available on request.
- SOC 2 Type II program in progress; interim SOC 2 readiness materials available under NDA.
- GDPR, U.K. GDPR, and Swiss FADP via the Data Processing Addendum and SCCs.
Security questionnaire or NDA review?
Reach our security team at security@partsperk.com for security questionnaires, third-party reports under NDA, or to start a vulnerability-disclosure conversation.
PartsPerk LLC · Delaware, United States · Doc /security · v1.0