Security at perfscale
Security is not a feature — it's the foundation. Here's exactly how we protect your infrastructure, test data, and secrets.
Our security practices
Encryption in transit and at rest
All data is encrypted in transit using TLS 1.2+. Data at rest is encrypted using AES-256. Encryption keys are managed via a dedicated key management service with automatic rotation.
Infrastructure security
Infrastructure runs in isolated VPCs with strict network segmentation. Access to production systems requires MFA and is limited to a minimum set of engineers. All access is logged and audited.
Vulnerability management
We run automated dependency scanning on every build. Critical CVEs are patched within 24 hours. Penetration tests are conducted annually by an independent third party.
SOC 2 Type II
perfscale is SOC 2 Type II certified, covering Security, Availability, and Confidentiality. A copy of the report is available to enterprise customers under NDA.
Access control
Role-based access control (RBAC) is enforced at every layer. Enterprise customers can connect their own identity provider via SSO/SAML 2.0. All sessions use short-lived tokens.
Incident response
We maintain a documented incident response plan with defined SLAs for detection, containment, and customer notification. Security incidents are disclosed at status.perfscale.su.
Responsible disclosure
We take security reports seriously and respond to all valid reports within 48 hours. If you discover a vulnerability in perfscale, please report it privately — do not publish it before we've had a chance to fix it.
Scope: perfscale.su and all subdomains, the perfscale API, and the perfscale CLI.
Out of scope: Social engineering, physical attacks, third-party services, and vulnerabilities requiring physical access.
Process: Email your report to security@perfscale.su with a clear description, steps to reproduce, and potential impact. We will acknowledge within 48 hours and keep you updated as we work on a fix.
We do not currently offer a bug bounty programme, but we deeply appreciate responsible disclosures and will credit researchers publicly (with their consent) after the fix is shipped.
Frequently asked questions
Do you store the content of my HTTP requests and responses?
By default, perfscale stores aggregated metrics (latency percentiles, error rates, throughput) — not raw request or response bodies. Enterprise customers can enable full request logging to their own storage bucket.
Can load test agents reach my internal services?
Yes. Enterprise plans support private runners deployed inside your VPC. Traffic never leaves your network. The runner only phones home to the perfscale control plane to receive test configs and push metrics.
How long is test data retained?
Test results and metrics are retained for 90 days on the Team plan and 1 year on Enterprise. You can delete all data at any time from the dashboard or via the API.
Is perfscale GDPR compliant?
Yes. We are a data processor under GDPR. We offer a Data Processing Agreement (DPA) on all paid plans. EU customers can choose EU data residency to keep all data within the European Economic Area.
What happens to my data if I cancel?
You can export all your test results via the API before cancelling. After cancellation we retain your data for 30 days, then permanently delete it. We will never sell your data to third parties.
Need a security review or DPA?
Enterprise customers can request our SOC 2 report, DPA, and security questionnaire responses.