Trust Center

Security is not a feature.
It's the foundation.

Peripamo provides quantitative risk analytics for banks and asset managers. We handle sensitive portfolio data, regulatory calculations, and AI-powered analysis. Security and data privacy are non-negotiable.

Compliance Posture

Continuously monitored against 20+ frameworks

Live compliance scores from Datadog Cloud Security Management. These are not self-assessments. Every control is verified against our running infrastructure.

All systems passing
ISO 27001
100%
SOC 2 Type II
100%
NIST 800-53
100%
MAS TRM
100%
GDPR
100%
CIS GCP
100%
ISO 42001 (AI)
100%
NIST AI RMF
100%
HIPAA
100%
PCI DSS
100%

Zero critical, high, or medium severity findings open.

Scores reflect continuous infrastructure monitoring via Datadog Cloud Security Management, not formal certification. We are actively working toward SOC 2 Type 2 and ISO 27001 certification.

Data Architecture

Per-tenant isolation by design

Every client gets a dedicated, isolated database instance. Client data is never co-mingled across tenants.

Tenant Isolation

Each client's portfolio data lives in a physically separate database. No shared tables, no row-level filtering. Full database-level separation.

Data Residency

Primary infrastructure and databases hosted in Singapore (ap-southeast-1). Compute, storage, and data processing stay within the region.

Encryption

All data encrypted in transit (TLS/HTTPS with HSTS enforced) and at rest. No public IPs or exposed ports. All traffic routed through secure tunnels.

Access Control

Token-based authentication on every API request. Short-lived internal service tokens for inter-service communication. Email-based access whitelisting.

Secret Management

All credentials, API keys, and secrets managed through a dedicated secrets platform. Never stored in code, configuration files, or environment files.

Dev/UAT Isolation

Production data is never used in development. Automated anonymization strips all PII before seeding test environments. Auth data is excluded entirely.

AI Governance

AI agents under strict operational control

Our platform uses AI agents for risk analysis, compliance review, and data querying. Every agent operates within enforced security boundaries.

Agent Containment

  • Hardened containers with privilege escalation prevention
  • Sandboxed execution environments with resource limits
  • Restricted command allowlists. Only approved operations
  • Automatic workspace cleanup with size caps and time limits

Operational Safety

  • Instant kill switch. Any agent can be disabled immediately
  • Full observability on all LLM calls with audit trails
  • No client data used for model training. API-only inference
  • Automated agent evaluation suite with regression testing
CI/CD Security

Every push is scanned, linted, and tested

Five automated checks run on every push to main. No code ships without passing all gates.

SAST
BanditSecurity linter
Container Scan
TrivyCVE detection
Type Safety
mypyStatic type analysis
Lint
RuffCode quality
Test
pytestAutomated tests

Additionally, Datadog CSM continuously scans running infrastructure against CIS benchmarks, generates SBOM reports for all container images, and ClamAV runs daily antivirus scans.

Subprocessors

Third-party services that process client data

Services that store or process client portfolio data as part of our platform operations.

Service Purpose Data Region
Google Cloud Platform Compute infrastructure and object storage Singapore (asia-southeast1)
Supabase Managed PostgreSQL. Client portfolio data and market data Singapore
Cloudflare Secure ingress, DNS, and DDoS protection Edge (nearest PoP)
Google Gemini LLM inference for AI agents. API-only, no training on inputs United States
Anthropic Claude LLM inference for credit analysis. API-only, no training on inputs United States
Frequently Asked Questions

Common questions from security reviews

Do your AI models train on our data? +

No. We use Google Gemini and Anthropic Claude via their API endpoints under enterprise terms. Client prompts, portfolio data, and model outputs are never used for training. All LLM traffic is fully traced for audit purposes.

How is client data isolated? +

Each client receives a dedicated database instance. Portfolio holdings, positions, and client-specific configurations are physically separated at the database level. There is no shared tenancy for client data.

Where is our data stored? +

Primary infrastructure runs in Singapore (asia-southeast1). Database hosting is also in Singapore. LLM inference calls transit to API endpoints in the US, but no client data is persisted at the LLM provider.

Can AI agents be disabled in an emergency? +

Yes. Every AI agent has a kill switch that can be toggled instantly. When activated, the agent returns a service unavailable response for all requests while health checks continue. Each agent can be disabled independently.

How do you handle production data in development? +

Production data is never used directly in development. We run an automated anonymization pipeline that strips all PII, excludes authentication data entirely, and produces sanitized datasets for test environments.

What vulnerability scanning do you perform? +

Every code change triggers automated security scanning (Bandit), container vulnerability detection (Trivy), static type analysis (mypy), code quality checks (Ruff), and test suites. Additionally, our infrastructure is continuously scanned against CIS benchmarks with SBOM reports generated for all container images.

Do you have SOC 2 or ISO 27001 certification? +

We are not yet formally certified for SOC 2 or ISO 27001. However, our infrastructure is continuously evaluated against these frameworks via Datadog Cloud Security Management, with current posture scores of 100% for both. We are working toward formal certification.

Do you support on-premises deployment? +

Yes. For clients with strict data sovereignty or regulatory requirements, we offer on-premises deployment on request. The platform can be deployed entirely within your own infrastructure, ensuring all data remains within your network perimeter.