Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. HSTS preloaded. Public-key pinning for the host CLI.
Security
Built like the infrastructure you'd run yourself.
Perchy is a production routing layer in front of expensive third-party models. We treat your prompts like the credentials they often contain. This page summarizes our posture; technical detail is available under NDA via a Trust Portal request.
Hashed credentials
API keys are stored as one-way hashes. Once you close the create-key dialog, the secret cannot be retrieved.
Production access control
Production access requires SSO with hardware MFA. Sessions are short-lived and logged.
Continuous testing
Static analysis, dependency review, and weekly dynamic scanning. Annual third-party penetration tests.
Customer data minimization
We do not train foundation models on your prompts or outputs. Premium customers can enable zero-retention.
Compliance roadmap
SOC 2 Type II in progress (audit window opens Q3 2026). ISO 27001 follow-up planned for 2027.
Vulnerability disclosure
Found something? Tell us.
We welcome reports from independent researchers. Please give us a chance to fix before disclosing publicly.
- Report: security@perchy.ai. We respond within one business day.
- Encrypted reports: our PGP key fingerprint is published at
/.well-known/security.txt. - Safe harbor:good-faith research consistent with our policy is authorized — we won't pursue legal action.
- Out of scope: denial-of-service tests, social engineering of staff, physical attacks, and findings on third-party model providers.
- Recognition: we maintain a Hall of Fame and pay rewards on the Bugcrowd platform for qualifying vulnerabilities.
Other contacts
Where to write.
Privacy & data subject requests
Abuse reports
Law enforcement
legal@perchy.ai — process must be served on our registered agent in Delaware.