Perflo Security & Privacy


Last updated October 15, 2021

Overview

Perflo takes the security and privacy of customer data very seriously, with robust policies, controls, and systems in place to keep your information safe and secure. We adhere to NIST security regulations (esp. NIST.IR 7621r1) and the Payment Card Industry Data Security Standards (esp. PCI DSS v3.2.1).

People Security

All Perflo employees and contractors are required to understand and follow strict internal policies and standards. Everyone is trained on security topics including, but not limited to, device security, phishing, preventing spyware/malware, physical security, data privacy, account management, and incident reporting.

Application Security

Perflo follows software development security best practices. All code is version controlled and goes through peer review and testing to screen for potential security issues. Changes to the production environment are logged and the entire development team is notified of each release.

Authentication

Perflo users log in with their Slack and Microsoft Teams accounts using OAuth 2.0, an industry standard for authorizing secure access to external apps, or with an email address and password. Users may revoke Perflo's access at any time and also are able to request their data be deleted     . Perflo is a verified Microsoft publisher/ app.

Password Security

All users that use passwords are required to abide by our password policy which requires:

  • A minimum of 8 characters
  • At least 1 number
  • At least 1 lowercase character
  • At least 1 UPPERCASE character

Or alternatively

  • At least 12 characters
  • Does not appear in previous breach corpuses.
  • Does not contain sequential (ex. “1234”) or repeated (ex. “aaaa”) characters

All passwords stored by Perflo are hashed using secure one-way methods and salted.

Network Security

Encryption in transit

All data in transit between users, Perflo, and email/messaging services is encrypted using 256-bit SSL/TLS. These protocols are revised as new threats and vulnerabilities are identified.

Network Isolation

Perflo divides its systems into separate networks using logically isolated VPCs in AWS data centers. Systems supporting testing and development activities are hosted in a separate network and in separate applications from systems supporting Perflo's production services. Customer data only exists and is only permitted to exist in Perflo's production network. Network access to Perflo's production environment is restricted. Only network protocols essential for delivery of Perflo's service to its users are open at Perflo's perimeter. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.

Physical Security

Data center security

Perflo’s infrastructure is built on top of Amazon Web Services, and is housed in data centers operated by Amazon. Amazon has strict policies for physical security, including 24-hour video surveillance and strict access restrictions which are described in detail here:

Office security

All employee devices must meet our security standards. These standards require all computers to have strong passwords per our password policy, encrypt data on disk, run anti-virus software, and lock automatically when idle. No data is stored on employee computers.  

Data Security

Data We Collect

Through Perflo’s Slack and Microsoft Teams plug-in, This app will have permission to:

  • Receive messages and data that I provide to it.
  • Send me messages and notifications.
  • Access my profile information such as my name, email address, company name, and preferred language.
  • Send messages and notifications to users.
  • Access this team’s information such as team name, channel list and roster (including team member’s names and email addresses) - and use this to contact them​.
  • Install and update the app as needed

Lastly, any cookies or other online identifiers including unique IDs, IP addresses, device information and PII derived therefrom shall be retained for up to 90 days.
Perflo strives for lean analysis of data, and only collects data that is necessary for processing purposes. Perflo reviews our data collection processes on a quarterly basis to ensure we only collect data that is necessary to provide the services to the user. In addition, Perflo’s Data Privacy & Security Team reviews all products and services with respect to data collection during the design phase. All data must be processed in accordance with authorized purposes which are documented in Perflo’s records of processing. An individual can request confirmation of whether or not personal information has been collected or held about the requesting individual by sending an email to hello@perflo.co. Perflo will respond to all such requests and provide confirmation within 30 days.

Data Sharing

We do not share or transfer personally identifiable information or the content of any user’s messages with any party, except as required by law or as needed for the purposes of collection or related to providing the Service to users. A user’s employer will have access to reports based on metadata, computed statistics, and classifications aggregated over many messages, but the content of any individual message will not be exposed. This includes but is not limited to (i) requiring that processors notify Perflo of requests received directly from the data subject and (ii) deal promptly and properly with all inquiries from Perflo relating to processor's processing of the personal data subject to the transfer. Perflo continuously reviews data transfer procedures to Processors and Controllers to ensure the transfer of personal identifiable information is limited to fulfilling purposes of collection or related purposes only.

Data Access and Privacy

Perflo stores all personal identifiable information (PII), such as, but not limited to, name or email address, separately from other user data.   Perflo strictly limits access to customer data by using role-based Access Control Lists. Only Perflo’s Data Privacy & Security Team can grant temporary access to PII data for essential job functions in a secure environment. All access to customer data is logged and reviewed quarterly by the executive team. Access of PII without a clear technical justification is a fireable offense. At any time, a user may request access to the personal identifiable information collected about them by sending an email to hello@perflo.co with the subject line “Data Access Request”. Perflo will verify the email matches the email that was authorized with the Perflo platform before providing access. Perflo will respond to all Data Access Requests within 30 days. If access is refused, Perflo will provide the requesting-individual with an explanation of why access will not be provided, together with contact information for further inquiries about the denial of access. Upon request, Perflo will provide confirmation of whether or not PI is being processed about the requesting individual.

Data Removal

At any time, a user may stop using the Service and request for a full removal of their data (via an email to hello@perflo.co or clicking on the “delete account” link in their user settings tab from their Perflo account). Clicking the “delete account” link will trigger an email to Perflo’s Perflo’s Data Privacy & Security Team to start the account delete process. Within a period of 30 days, all of the user’s submitted content and PII will be removed from the running database by deleting the affected rows. All database backups are securely deleted after 3 months.

Data Correction

If a user believes their data stored on Perflo is incorrect, they, at any time, may contact us and request their data to be corrected by sending an email to hello@perflo.co with the subject line “Information Correction Request”. Perflo will respond to all Data Correction Requests within 30 days. If correction is refused, Perflo will provide the requesting-individual with an explanation of why correction will not be provided, together with contact information for further inquiries about the denial of correction. Perflo will reply to all Information Correction Request emails within 30 days and provide a confirmation that the information has been corrected or deleted.

Encryption at rest

All data at rest in Perflo's production network is encrypted using 256-bit Advanced Encryption Standard (AES).

Server hardening

Production servers and serverless services are hardened, with the minimally required set of services allowed to run. A custom based server image which is continuously reviewed and updated for security is used to run all production services.

Vulnerability Management

Perflo uses third party services to run automated vulnerability tests on the production environment. Engineers are always on call to immediately address any issues.
Perflo is hosted in Amazon Web Services (AWS) data centers, which are certified to meet compliance requirements of SOC2 and ISO27001. Details can be found here. To request a copy of Perflo’s SOC2 report or Security Policies (including Change Management, Incident Management, etc.) please send a request to hello@perflo.co. At any time, a user may submit a Privacy Shield related complaint or question by sending an email to hello@perflo.co. All Privacy Shield related complaints or questions will be responded to within a period of 30 days.

User Notification

Perflo will notify its customers within twenty-four hours after detecting or suspecting any information security incidents (or any potential data breach, security breach or similar).

Interested in working with us?

Drop us a line and let us know what’s on your mind.