Security

​

Overview

​

Data Security

• Encryption at rest: Customer data is encrypted at rest using industry-standard cryptographic algorithms (AES-256).
• Encryption in transit: Data in transit between clients, services, and internal systems is protected using TLS 1.2 or higher.
• Key management: Encryption keys are protected using hardened cloud key management services with strict access controls, separation of duties, and auditing. Permutive leverages managed key management infrastructure provided by its cloud service providers.
• Data isolation: Customer data is logically isolated between tenants using application- and infrastructure-level access controls.

​

Identity and Access Management

• Single Sign-On (SSO): Permutive supports enterprise authentication using SAML and OpenID Connect, enabling customers to integrate with their corporate identity providers.
• Multi-Factor Authentication (MFA): Multi-factor authentication is enforced through customer identity providers for privileged and administrative access.
• Role-Based Access Control (RBAC): Access to platform features is governed by role-based permissions aligned with the principle of least privilege.
• Just-in-time privileged access: Privileged access to production systems is granted on a just-in-time basis using privileged access management controls, with time-bound permissions and approval workflows to minimize standing privileges.

​

Platform and Infrastructure Security

• Secure cloud architecture: Permutive operates on hardened cloud infrastructure with environment isolation, network segmentation, and controlled access pathways for administrative and production systems.
• Perimeter and network protection: Web application and network traffic are protected using cloud-native security controls, including DDoS mitigation and application-layer filtering.
• Continuous vulnerability management: We perform continuous vulnerability scanning and assessment across application code, cloud infrastructure, and workloads.
• Runtime and workload protection: Cloud-native security tooling is used to monitor workloads, detect threats, and identify misconfigurations and vulnerabilities.
• Secure software development lifecycle (SDLC): Security testing is integrated into development pipelines, including automated code analysis and dependency scanning, with security reviews for high-risk changes.

​

Compliance and Independent Assurance

• SOC 2 Type II and SOC 3: Permutive undergoes annual independent SOC 2 Type II audits, with SOC 3 reports available publicly.
• Independent penetration testing: External penetration tests are conducted by independent security specialists on a regular basis.
• Private bug bounty program: Permutive operates a private vulnerability disclosure and bug bounty program to facilitate responsible reporting of security issues.
• Continuous security monitoring: Production systems and security events are monitored continuously, with defined escalation and response procedures.

​

Incident Response

• Incident response procedures: Permutive maintains documented incident response processes with defined roles, escalation paths, and communication procedures.
• Customer notification: Security incidents affecting customer data are communicated in accordance with contractual and regulatory obligations.

​

Shared Responsibility Model

​

Learn More