Background Banner Image

Information security and compliance

Peak provides a centralized environment for managing data and executing data science workflows within a secure infrastructure. It ensures data scientists access data without compromising security or data governance.

Peak's security credentials

Our commitment to privacy and security

At Peak, security is at the heart of our operations, ensuring the resilience of our business. We’re proud to hold ISO 27001 certification and undergo annual SOC 2 type 2 audits by an accredited third-party auditor. Additionally, we adhere to The Data Protection Act 2018, reflecting our ongoing commitment to GDPR compliance.

To ensure the protection of data while enabling data scientists to perform their roles, we implement controlled data access on the Peak platform, bolstered by Single Sign-On (SSO) and Multi-Factor Authentication (MFA) functionalities. We engage in regular internal and external audits, alongside application scanning and penetration testing, to identify and mitigate risks.

The security of customer data is our number one priority at Peak.

David Leitch, CIO and co-founder, Peak

Data Bridge

Connecting to the Peak platform

Our Data Bridge feature allows for seamless connection of your IT infrastructure to the Peak platform, enabling data utilization without the need for transfer, duplication or loss of data ownership. This ensures your data remains secure and governed by your storage security policies, even if it cannot leave your infrastructure.

Policies and compliance

Reporting an incident or event

Interested parties should contact or their relevant company contact. Incidents and events raised automatically create a ticket in a confidential portal for review, response, assessment and RCA.

Risk identification and management

Peak has a formal and repeatable risk assessment method. As part of the ISMS, the approach involves systematic analysis and prioritization of risks based on their potential impact and likelihood. As risks are identified and reviewed they are added to a risk register for annual review by owners assigned from the ISMS board.

Sub-processors and vendor management

Our supplier management process includes reviewing risk, access control and security posture of all external technology vendors. This includes technical due diligence and reviewing security and compliance certifications.

Data management and security

We collect only the data necessary for the projects and applications we support, including potentially sensitive Personally Identifiable Information (PII), under strict documentation and agreements.

Data residency and hosting

Our data is hosted within the EU (Ireland), ensuring compliance with stringent data protection regulations.

The Peak platform, hosted on AWS, encrypts data both at rest and in transit. Through partnerships with leading cloud data infrastructure providers like Snowflake, and by utilizing AWS’s comprehensive security certifications, we maintain a robust security posture.

Data extraction and transfer mechanisms

Peak supports various secure data extraction and transfer mechanisms, ensuring flexible yet secure data management.

All data is encrypted in transit via HTTPS, TLS and is encrypted at rest via AES-256 (minimum).

Authorization and authentication layers are added as appropriate for the connector, such as SignedURL for drag and drop, Oauth for REST APIs or SSL only for JDBC connections.

Data Bridge enables customers to configure connections to their own data storage and data is queried at the source without the need to store any of it in the Peak platform.

Transfer mechanism and refresh frequency is discussed and agreed at the data discovery stage.

Data storage and encryption

Data is securely stored on AWS Cloud Infrastructure and encrypted using AWS Key Management Store (KMS), with encryption keys regularly rotated. This ensures customer data isolation and no cross-access.

All data is stored in AWS S3 and on private AWS Redshift or Snowflake clusters. Data is encrypted at rest using AWS Key Management Store (KMS), and keys are automatically rotated on a regular basis.

All customers have their own isolated database and with no cross-access or shared information.

Data processing

We ensure database credentials encryption and regular rotation, with database access confined within the Peak VPC. Access to customer data is tightly controlled and reviewed regularly.

Data retention

Peak adheres to GDPR Article 5(e), retaining data only as long as necessary for the agreed processing activities.

If you leave Peak’s service (or indeed have provided data to Peak as part of the sales process that does not proceed to a full engagement), we ensure that data is fully deleted as soon as we are requested to do so by the customer.

Access control and multi-factor authentication

Peak implements comprehensive access control measures, including Single Sign On (SSO), Role Based Access Control (RBAC) and Multi-factor Authentication (MFA), to ensure secure data access and tenant isolation.

AI and large language models (LLMs) security


Co:Driver ensures data security and compliance with its generative AI-powered functionalities. OpenAI serves as a subprocessor, processing suggestions and recommendations without direct user exposure. Secure transmission protocols with TLS encryption protect data in transit.

Data isolation is maintained, with separate databases for each tenant. To enhance accuracy and prevent hallucinations, embeddings and a customer-specific knowledge base are utilized.

OpenAI’s data usage policy ensures data submitted or generated is not used to train its models or improve services, providing further assurance of data privacy.

Co:Driver data security

Platform and infrastructure


Cloud-native applications combine serverless computing and containers to create a scalable, highly available, and fault-tolerant architecture.

By leveraging serverless functions for specific tasks and using containers for more complex workloads, cloud-native applications can optimize resource utilization and ensure rapid scaling to meet changing demands.

The deployment of these applications across multiple availability zones further enhances resilience and minimizes the impact of potential failures, ensuring uninterrupted service availability even in the event of disruptions.

Observability and logs

When you use the Peak platform’s features, such as running workflows, deploying endpoints or launching web applications, we record and store the execution of those processes separately for each tenant. This way, only your tenant can access and view its own execution logs through the platform, ensuring the privacy and security of your data.

Infrastructure monitoring is implemented for individual components of Peak, connected with internal communication tools for alerting escalation. Peak has a dedicated team for supporting technical aspects of the platform, and communication workflows for escalating to appropriate commercial or technical teams if events or incidents occur.

Granular User Access (RBAC)

Utilizing role-based access control (RBAC), administrators have precise control over each user’s level of access. This principle allows for the creation of specific roles for different platform features and the assignment of those roles to users, ensuring that users have the minimum necessary access permissions, adhering to the principle of least privilege.

Browser compatibility

The Peak platform is tested during the Quality Assurance (QA) processes with and is compatible with most modern web browsers such as Google Chrome, Brave, Firefox and the latest versions of Microsoft Edge. Mobile compatibility will vary depending on the specific application and feature of the platform.

As a cloud based SaaS platform, no additional software (other than a web browser) should be required to access and use Peak.

Data Bridge for customer data storage

Learn more about Data Bridge here

Security practices and operational security

We conduct regular penetration tests, proactive code scanning, secret scanning, and continuous compliance monitoring to safeguard our application and data.

Threat detection and mitigation

Peak implements anomaly detection to identify suspicious activity or behavior found in API calls, DNS flow logs and more.

Peak’s infrastructure incorporates strategies to mitigate Distributed Denial of Service (DDoS), utilizing AWS Web Application Firewall (WAF), AWS Shield and various forms of Firewall mechanisms for comprehensive protection.

Infosec training and workplace policies

Peak is committed to fostering a culture of security awareness and compliance across the entire organization. To this end, all employees, including contractors and temporary staff, are mandated to undergo comprehensive information security training upon commencing their tenure. This foundational training is accompanied by a thorough review of Peak’s information security policies and processes, ensuring a deep understanding and commitment to our security ethos. Policies and processes include password policies, secure development policies, risk assessment policies, data security and privacy policies, and more.

Security at Peak doesn’t stop at software — physical security processes and principles such as escorting guests, security shredding confidential paper documents after use, cleaning whiteboards and storing devices securely are included.

Moreover, to maintain the highest standards of security vigilance and policy adherence, employees are required to reaffirm their commitment by reviewing and attesting to these policies on an annual basis. This continuous education and reaffirmation process ensures that our team remains equipped with the knowledge and dedication necessary to uphold and enhance our security measures, reflecting Peak’s unwavering commitment to protecting our data, systems, and the privacy of our clients.

Software development lifecycle (SDLC)

Our secure development policy includes a robust SDLC including reviews/approvals before merging code, QA testing before deployment to production as well as integrated and automated security testing (SAST, DAST, Code Quality, Compliance Monitoring) by third party platforms (Github Advanced Security, Sonarqube, Vanta etc.) during development.

Infrastructure is developed and deployed using Infrastructure As Code (IaC) and replicated across the segregated development and production environments.

Patch management

Github Enterprise provides library and package review and updates during development.

AWS facilitates automated patch management for servers through its extensive managed services, conducted on a weekly basis.

Feature flags

Feature flags, also known as feature toggles, are a software development technique that allows developers to control the visibility and behavior of certain features in their application. They work by conditionally enabling or disabling specific code blocks based on predefined criteria such as user type, geographical location or time.

Feature flags are useful for several reasons:

  • Gradual rollout: They enable a gradual rollout of new features to a subset of users, allowing developers to gather feedback and identify any issues before a wider release.
  • A/B testing: They facilitate A/B testing, where different versions of a feature are shown to different groups of users to determine which version performs better.
  • Continuous delivery: They support continuous delivery by allowing developers to deploy code changes without immediately releasing them to all users, reducing the risk of introducing bugs or breaking changes.
  • Experimentation: They enable experimentation with new ideas and features without permanently committing to them.

Device and endpoint protection and management

Peak prioritizes the security of its devices and endpoints as a fundamental aspect of its overall security strategy. From the moment a Peak computer is activated, it is automatically equipped with robust endpoint protection. This includes comprehensive antivirus and malware protection measures designed to thwart a wide array of cyber threats. Other guardrails are implemented internally such as removable media being blocked by default, standardized firewall configuration, centralized application self service etc., so that the team can get their work done safely and securely. Software updates and patches are applied regularly and automated where appropriate.

This proactive approach to device and endpoint security ensures that all hardware within our ecosystem is safeguarded against potential vulnerabilities from the outset. By embedding these protective measures directly into our devices, we minimize the risk of security breaches and maintain the integrity of our data and network. This commitment to automatic and immediate protection underscores Peak’s dedication to maintaining a secure and resilient technological environment.

Secure remote access

At Peak, secure remote access to our internal infrastructure is governed by a policy of denial by default, ensuring the highest level of security. Exceptions are made strictly on a need-to-access basis, such as for critical technical support tasks.

These exceptions are facilitated through a self-hosted VPN, leveraging industry-standard encryption protocols, including the Advanced Encryption Standard (AES), and robust authentication mechanisms supported by Public Key Infrastructure (PKI).

Multi-Factor Authentication (MFA) is mandated for all remote access requests, reinforcing our commitment to maintaining a secure and controlled access environment. This approach underscores our dedication to safeguarding our infrastructure while providing necessary access under stringent security measures.

Log management

At Peak, we prioritize meticulous log management to ensure the integrity and security of our systems and data. Key operational logs, including API calls, user access, and errors, are systematically recorded and preserved for over a year. We employ the most suitable tools for managing these logs, taking into account their specific requirements, such as the necessity for long or short-term storage and the frequency of access.

Access to these logs is strictly regulated, adhering to the principle of least privilege, ensuring that individuals can access only the information essential for their role. Moreover, all logs are encrypted during storage and transmission to safeguard data confidentiality and integrity. Additionally, to maintain the privacy and security of our customers’ data, logs specific to a customer’s tenant are isolated within dedicated log groups, further enhancing data protection and privacy.

Recovery and availability

Disaster recovery plans

At Peak, we recognize the critical importance of being prepared for and capable of recovering from any disaster, be it a service outage like those affecting AWS services such as DynamoDB or S3, or broader disruptions caused by hardware failures, network issues, power outages, natural disasters, human error, or other significant events. Our comprehensive disaster recovery strategy is detailed in our internal Internal Response policies and documentation.

Our approach to disaster recovery involves a continuous cycle of preparation, response, and recovery efforts tailored to a wide range of potential scenarios. These plans are system-specific, regularly reviewed, and updated to ensure relevance and effectiveness. They encompass business continuity plans that address both internal and external events, ensuring Peak’s resilience in the face of disruptions.

The document outlines potential disaster scenarios, our mitigation strategies, and our response plans, ensuring a structured and effective approach to crisis management. It covers the main components of the Peak platform and underlying services, addressing each with a dedicated section to ensure comprehensive preparedness.

We base our disaster recovery objectives on two critical metrics: the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). These metrics guide our efforts to meet or exceed Service Level Agreements (SLAs) and maintain our commitment to system uptime.

Data backups

AWS managed platforms (S3, Amazon DynamoDB, Redshift etc.) offer high availability and simple automation for backups and data retention.

Point-in-time recovery is enabled wherever feasible.

Backups are also tested as part of disaster recovery testing and scenario planning.

Cloud-native infrastructure and uptime commitment

The Peak platform’s cloud-native infrastructure is designed for maximum resilience, distributed across multiple availability zones to mitigate the impact of any single data center’s failure. This architectural choice ensures our ability to maintain operational continuity and safeguard data integrity, even in the face of widespread disasters.

Our commitment to reliability is reflected in our promise of a minimum of 98% uptime, supported by various support tiers designed to meet the diverse needs of our customers. This pledge underscores our dedication to providing dependable, uninterrupted service, reinforcing our role as a trusted partner in your data management and analytics endeavors.