Welcome to the Perfect Wiki Trust Center. This is the single source of truth for how we protect customer data, run our service securely, and meet our obligations to you.
Security at a glance
- Encryption in transit: TLS 1.2+ with perfect forward secrecy on every endpoint.
- Encryption at rest: AES-256 (Google Cloud full-disk) for all customer data. Application-layer secrets are additionally encrypted with AES-256-GCM.
- Authentication: SSO via Microsoft Entra and Google Workspace, plus passwordless email OTP. MFA is inherited from the customer's identity provider.
- Hosting: Google Cloud Platform โ US, Ireland, and Germany regions. Enterprise customers may pin data residency.
- Backups: Encrypted daily backups retained for up to 60 days, with documented restore procedure.
- Environment separation: Production, staging, and development environments are fully isolated. Production data is never used for non-production purposes.
- Monitoring: 24/7 automated monitoring and alerting via Sentry, with scheduled-job check-ins and uptime monitoring on our status page.
- Data export & deletion: Self-service export in HTML at any time, including after subscription termination. Customer-initiated account deletion is honored within 30 days.
Compliance & certifications
- GDPR: Compliant โ we offer a Data Processing Agreement (DPA), maintain a public sub-processor list, support data subject access requests, and host EU customer data within the EU.
- CCPA: Compliant โ California residents' rights are honored under our Privacy Policy.
- CSA CAIQ v4.0.3: Self-assessment available on request.
- SOC 2 / ISO 27001: Not yet certified. We follow the underlying controls and are tracking toward formal certification as we grow.
- HIPAA, PCI DSS, FedRAMP: Not in scope โ Perfect Wiki is not designed for PHI, payment card data, or U.S. federal workloads.
Policies
Each policy below is reviewed and re-approved at least annually by the CEO/CTO.
- Information Security Policy
- Access Control & Identity Management Policy
- Cryptography & Key Management Policy
- Data Classification, Retention & Deletion Policy
- Incident Response Plan
- Business Continuity & Disaster Recovery Plan
- Change & Configuration Management Policy
- Vulnerability & Patch Management Policy
- Vendor & Sub-processor Management Policy
- Risk Management Policy
- Human Resources Security Policy
- Secure Software Development Lifecycle (SDLC) Policy
- Asset Management Policy
- Logging & Monitoring Policy
- Acceptable Use Policy
Transparency
- Sub-processors: A current list of third parties that may process customer data, kept up to date as our stack evolves.
- Data Processing Agreement (DPA): Standard GDPR DPA available for customers on request.
- Vulnerability Disclosure: If you've found a security issue, we want to know โ see our coordinated disclosure page.
- Status page: Real-time uptime and incident history at status page.