Information security and compliance

Our data is hosted within the EU (Ireland), ensuring compliance with stringent data protection regulations.

The Peak platform, hosted on AWS, encrypts data both at rest and in transit. Through partnerships with leading cloud data infrastructure providers like Snowflake, and by utilizing AWS’s comprehensive security certifications, we maintain a robust security posture.

Peak supports various secure data extraction and transfer mechanisms, ensuring flexible yet secure data management.

All data is encrypted in transit via HTTPS, TLS and is encrypted at rest via AES-256 (minimum).

Authorization and authentication layers are added as appropriate for the connector, such as SignedURL for drag and drop, Oauth for REST APIs or SSL only for JDBC connections.

Data Bridge enables customers to configure connections to their own data storage and data is queried at the source without the need to store any of it in the Peak platform.

Transfer mechanism and refresh frequency is discussed and agreed at the data discovery stage.

Data is securely stored on AWS Cloud Infrastructure and encrypted using AWS Key Management Store (KMS), with encryption keys regularly rotated. This ensures customer data isolation and no cross-access.

All data is stored in AWS S3 and on private AWS Redshift or Snowflake clusters. Data is encrypted at rest using AWS Key Management Store (KMS), and keys are automatically rotated on a regular basis.

All customers have their own isolated database and with no cross-access or shared information.

We ensure database credentials encryption and regular rotation, with database access confined within the Peak VPC. Access to customer data is tightly controlled and reviewed regularly.

Peak adheres to GDPR Article 5(e), retaining data only as long as necessary for the agreed processing activities.

If you leave Peak’s service (or indeed have provided data to Peak as part of the sales process that does not proceed to a full engagement), we ensure that data is fully deleted as soon as we are requested to do so by the customer.

Cloud-native applications combine serverless computing and containers to create a scalable, highly available, and fault-tolerant architecture.

By leveraging serverless functions for specific tasks and using containers for more complex workloads, cloud-native applications can optimize resource utilization and ensure rapid scaling to meet changing demands.

The deployment of these applications across multiple availability zones further enhances resilience and minimizes the impact of potential failures, ensuring uninterrupted service availability even in the event of disruptions.

When you use the Peak platform’s features, such as running workflows, deploying endpoints or launching web applications, we record and store the execution of those processes separately for each tenant. This way, only your tenant can access and view its own execution logs through the platform, ensuring the privacy and security of your data.

Infrastructure monitoring is implemented for individual components of Peak, connected with internal communication tools for alerting escalation. Peak has a dedicated team for supporting technical aspects of the platform, and communication workflows for escalating to appropriate commercial or technical teams if events or incidents occur.

Utilizing role-based access control (RBAC), administrators have precise control over each user’s level of access. This principle allows for the creation of specific roles for different platform features and the assignment of those roles to users, ensuring that users have the minimum necessary access permissions, adhering to the principle of least privilege.

The Peak platform is tested during the Quality Assurance (QA) processes with and is compatible with most modern web browsers such as Google Chrome, Brave, Firefox and the latest versions of Microsoft Edge. Mobile compatibility will vary depending on the specific application and feature of the platform.

As a cloud based SaaS platform, no additional software (other than a web browser) should be required to access and use Peak.

Peak implements anomaly detection to identify suspicious activity or behavior found in API calls, DNS flow logs and more.

Peak’s infrastructure incorporates strategies to mitigate Distributed Denial of Service (DDoS), utilizing AWS Web Application Firewall (WAF), AWS Shield and various forms of Firewall mechanisms for comprehensive protection.

Peak is committed to fostering a culture of security awareness and compliance across the entire organization. To this end, all employees, including contractors and temporary staff, are mandated to undergo comprehensive information security training upon commencing their tenure. This foundational training is accompanied by a thorough review of Peak’s information security policies and processes, ensuring a deep understanding and commitment to our security ethos. Policies and processes include password policies, secure development policies, risk assessment policies, data security and privacy policies, and more.

Security at Peak doesn’t stop at software — physical security processes and principles such as escorting guests, security shredding confidential paper documents after use, cleaning whiteboards and storing devices securely are included.

Moreover, to maintain the highest standards of security vigilance and policy adherence, employees are required to reaffirm their commitment by reviewing and attesting to these policies on an annual basis. This continuous education and reaffirmation process ensures that our team remains equipped with the knowledge and dedication necessary to uphold and enhance our security measures, reflecting Peak’s unwavering commitment to protecting our data, systems, and the privacy of our clients.

Our secure development policy includes a robust SDLC including reviews/approvals before merging code, QA testing before deployment to production as well as integrated and automated security testing (SAST, DAST, Code Quality, Compliance Monitoring) by third party platforms (Github Advanced Security, Sonarqube, Vanta etc.) during development.

Infrastructure is developed and deployed using Infrastructure As Code (IaC) and replicated across the segregated development and production environments.

Github Enterprise provides library and package review and updates during development.

AWS facilitates automated patch management for servers through its extensive managed services, conducted on a weekly basis.

Feature flags, also known as feature toggles, are a software development technique that allows developers to control the visibility and behavior of certain features in their application. They work by conditionally enabling or disabling specific code blocks based on predefined criteria such as user type, geographical location or time.

Feature flags are useful for several reasons:

• Gradual rollout: They enable a gradual rollout of new features to a subset of users, allowing developers to gather feedback and identify any issues before a wider release.
• A/B testing: They facilitate A/B testing, where different versions of a feature are shown to different groups of users to determine which version performs better.
• Continuous delivery: They support continuous delivery by allowing developers to deploy code changes without immediately releasing them to all users, reducing the risk of introducing bugs or breaking changes.
• Experimentation: They enable experimentation with new ideas and features without permanently committing to them.

Peak prioritizes the security of its devices and endpoints as a fundamental aspect of its overall security strategy. From the moment a Peak computer is activated, it is automatically equipped with robust endpoint protection. This includes comprehensive antivirus and malware protection measures designed to thwart a wide array of cyber threats. Other guardrails are implemented internally such as removable media being blocked by default, standardized firewall configuration, centralized application self service etc., so that the team can get their work done safely and securely. Software updates and patches are applied regularly and automated where appropriate.

This proactive approach to device and endpoint security ensures that all hardware within our ecosystem is safeguarded against potential vulnerabilities from the outset. By embedding these protective measures directly into our devices, we minimize the risk of security breaches and maintain the integrity of our data and network. This commitment to automatic and immediate protection underscores Peak’s dedication to maintaining a secure and resilient technological environment.

At Peak, secure remote access to our internal infrastructure is governed by a policy of denial by default, ensuring the highest level of security. Exceptions are made strictly on a need-to-access basis, such as for critical technical support tasks.

These exceptions are facilitated through a self-hosted VPN, leveraging industry-standard encryption protocols, including the Advanced Encryption Standard (AES), and robust authentication mechanisms supported by Public Key Infrastructure (PKI).

Multi-Factor Authentication (MFA) is mandated for all remote access requests, reinforcing our commitment to maintaining a secure and controlled access environment. This approach underscores our dedication to safeguarding our infrastructure while providing necessary access under stringent security measures.

At Peak, we recognize the critical importance of being prepared for and capable of recovering from any disaster, be it a service outage like those affecting AWS services such as DynamoDB or S3, or broader disruptions caused by hardware failures, network issues, power outages, natural disasters, human error, or other significant events. Our comprehensive disaster recovery strategy is detailed in our internal Internal Response policies and documentation.

Our approach to disaster recovery involves a continuous cycle of preparation, response, and recovery efforts tailored to a wide range of potential scenarios. These plans are system-specific, regularly reviewed, and updated to ensure relevance and effectiveness. They encompass business continuity plans that address both internal and external events, ensuring Peak’s resilience in the face of disruptions.

The document outlines potential disaster scenarios, our mitigation strategies, and our response plans, ensuring a structured and effective approach to crisis management. It covers the main components of the Peak platform and underlying services, addressing each with a dedicated section to ensure comprehensive preparedness.

We base our disaster recovery objectives on two critical metrics: the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). These metrics guide our efforts to meet or exceed Service Level Agreements (SLAs) and maintain our commitment to system uptime.

AWS managed platforms (S3, Amazon DynamoDB, Redshift etc.) offer high availability and simple automation for backups and data retention.

Point-in-time recovery is enabled wherever feasible.

Backups are also tested as part of disaster recovery testing and scenario planning.