# Security & Compliance — PermitMe

> Enterprise-grade security, compliance, and infrastructure details for PermitMe. Built for high-risk industries that demand the highest standards of data protection.

## Security Overview

At PermitMe, safety and cybersecurity are foundational principles. The platform is engineered with enterprise-grade controls to ensure operational data remains secure, private, and always available.

## Infrastructure & Hosting

- **Cloud Provider:** Hosted exclusively on Google Cloud Platform (GCP), leveraging their ISO 27001 and SOC 2 compliant infrastructure
- **Data Sovereignty:** Customer data can be hosted in your desired geographical region, ensuring local data residency and compliance with regional laws
- **Tenant Isolation:** Each client operates within a dedicated, completely isolated cloud project, ensuring full physical segregation of database and application layers from other tenants

## Data Protection

- **Encryption:** All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
- **Data Ownership:** Clients retain full ownership of their data. PermitMe only processes data to deliver the service and collects high-level, anonymised metrics for platform improvement
- **Custom Data Exports:** Configurable automated, scheduled data exports to your own local servers or cloud storage (e.g., SharePoint)
- **Key Management:** Encryption keys are securely governed using Google Cloud Secret Manager with strict access controls

## Access & Identity

- **Single Sign-On (SSO):** Native support for Microsoft Entra ID (Azure AD). PermitMe is a verified Microsoft Publisher
- **Multi-Factor Authentication:** Enforceable via your SSO provider, with alternative MFA options available for external contractors
- **Role-Based Access (RBAC):** Granular, configurable permission models ensuring least-privilege access across administrators, issuers, and end-users

## Auditability & Testing

- **Immutable Audit Logging:** Tamper-resistant, server-side audit trails for all critical actions (permit creation, edits, approvals, system access)
- **Penetration Testing:** Comprehensive third-party vulnerability assessments conducted annually, supplemented by weekly automated scans
- **Patch Management:** Critical vulnerabilities are remediated and patched seamlessly, typically within 24 hours

## Reliability & Business Continuity

- **Uptime & Availability:** 99.5% uptime SLA, historically achieving over 99.9% availability
- **DDoS & WAF:** Multi-layered protection via Google Cloud's global edge network, with Web Application Firewall (Cloud Armor) options
- **Automated Backups:** Point-in-time recovery (7 days retention), daily snapshots (14 days), and weekly snapshots (30 days)
- **Disaster Recovery:** Target 12-hour RTO and 24-hour RPO, validated through regular disaster recovery and restoration exercises

## Security Questionnaires

PermitMe is happy to accommodate enterprise security questionnaires and due diligence requirements. Contact the security team at https://permitme.app/contact.

## Learn More

- Security page: https://permitme.app/security
- Privacy policy: https://permitme.app/privacy
- Terms of use: https://permitme.app/terms
- Contact: https://permitme.app/contact