Security and data protection

Performance Leader is committed to securing access to your data, eliminating systems vulnerabilities and ensuring continuity of access.

Learn more

Compliance & Certifications

1. ISO 27001

Performance Leader is committed to maintain our ISO 27001 certification.

2. GDPR

Performance Leader is designed to comply with all requirements stated by the GDPR. Performance Leader is a UK registered company and is registered with the UK Information Commissioner's Office.

1. Compliance Certifications

1.1 ISO 27001
Performance Leader is committed to maintain our ISO 27001 certification.

1.2 GDPR / CCPA
Performance Leader is designed to comply with all requirements stated by the GDPR and the CCPA.

Performance Leader is a UK registered company and is registered with the UK Information Commissioner's Office.

Where possible Performance Leader makes tools available to our customers to allow them to meet their obligations to such legislation inside the platform.

2. Vulnerability Disclosure Policy

We take vulnerability disclosures extremely seriously. Once disclosures are received, we rapidly verify each vulnerability contained within the report before taking the necessary steps to contain and remediate the issue.

Once verified, we will periodically send status updates as the problems are fixed and will endeavour to work with the reporter to coordinate public disclosure should they so wish.

Performance Leader has a well documented response process for the detection and resolution of Security Incidents.

3. Infrastructure and Network Security

3.1 Physical Access Control
The Performance Leader Platform is hosted exclusively on Rackspace. Rackspace maintains both ISO 27001 certificates and SOC 2/3 reports.

Datacenters used by Rackspace include extensive security measures built around a layered security model. These safeguards include:
- Vehicle Access Barriers
- Perimeter Fencing
- Metal Detectors
- Biometric Access Control
- Alarms

Performance Leader employees do not have physical access to any Rackspace data centers, servers, networking equipment or storage media.

3.2 Logical Access Control
Performance Leader is the assigned administrator of its infrastructure on Rackspace and only a small number of authorised Performance Leader employees have access to configure this infrastructure. Where infrastructure configuration is done it is on an as-needed basis and requires two factor authentication.

Direct access to servers (such as SSH) is only done on an as-needed basis and uses detailed audit logging. SSH connections are protected using two-factor authentication and regularly rotated certificates.

Administrators connections to production servers are made over a private network.

Administration rights (including SSH, Database Access and Infrastructure Configuration) are tightly controlled and restricted to a very small number of our team.

3.3 Penetration Testing
Performance Leader undergoes annual black box penetration testing by an accredited third-party agency.

Penetration testers are provided with a high-level diagram of application architecture and tests are run against our hosted production environment.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. Customers on our Enterprise plan can request a summary of our latest penetration test findings by contacting their Account Manager.

3.4 Third-Party Audit
Performance Leader is committed to maintaining our ISO 27001 certification, with annual third-party audits of our ISMS program.

3.5 Intrusion Detection and Prevention
Performance Leaderuses a combination of host-based signals, network-based signals, and infrastructure signals to provide Intrusion Detection and Prevention systems (IDS/IPS).

We use both signature-based security and algorithm-based security to identify patterns that could represent an attack method.

Our IPS strategy involves tightly controlling the attack surface, employing intelligent and layered detection controls at data entry points, and deploying technologies that automatically remedy potentially dangerous situations.

4. Business Continuity and Disaster Recovery

4.1 High Availability
Every part of the Performance Leader platform uses automatically provisioned, redundant servers to protect against failure.

4.2 Business Continuity
Performance Leader keeps regular daily and weekly backups of data in multiple geographic locations on Rackspace.

All backups are stored in an encrypted form.

In the case of platform-wide production data loss we are able to restore data from these backups.

We regularly test our ability to restore our infrastructure from the backups we maintain.

We routinely verify the integrity of the backups that we hold.

4.3 Disaster Recovery
In the unlikely event of a prolonged regional outage we maintain a documented procedure for provisioning our deployment environment in a separate region.

Performance Leader has an extensively documented Incident Response process that includes documented procedures for Business Continuity and Disaster Recovery.

5. Data Flow

5.1 Data Arriving from Customers
All customer data is sent to Performance Leader via HTTPS using TLS 1.2 or above.

All Performance Leader systems are configured to reject connections using TLS version below 1.2 or those using potentially insecure cipher suites.

Performance Leader operates a zero-trust network meaning that all network traffic, even within our own network perimeter, is encrypted.

Performance Leader regularly tests the availability and security of its SSL configuration using SSL Labs Reporting.

All requests into the system are logged and monitored using a combination of rule and anomaly-based systems.

5.2 Data Leaving the System
Performance Leader allows customer's to access the data stored in Performance Leader through our web application.

All of the methods we provide to our customers for accessing their data ensure encryption in transit using TLS 1.2 or above.

6. Application Security

6.1 Two-Factor Authentication
Performance Leader provides the option for users to add an additional layer of security to their Performance Leader account using Time-base One Time Passwords (TOTP).

Once enabled Two-Factor Authentication applies to all authentication methods including Single Sign-On.

6.2 SAML 2.0
Customers are able to enable SAML-based authentication.

Workspaces are optionally able to force all of their users to authenticate using SAML 2.0 to align with their own authentication requirements.

7. Secure Application Development (ADL / SDLC)

8. Corporate Security

Performance Leader believes that good security applies equally to our team as to our platform.

8.1 Malware Protection
Performance Leader maintains a comprehensive Malware Protection system backed by Crowdstrike  and Apple GateKeeper.

8.2 Endpoint Security and Configuration
Performance Leader uses Kandji for Inventory Management and Configuration.

All Performance Leader endpoints use Full Disk Encryption, Screen Lock, Remote Wipe, and strong passwords.

8.3 Risk Management
Performance Leader uses a documented Risk Assessment and Treatment process.

Performance Leader uses a combination of Asset and Scenario based Risk Assessments.

All deployments of Performance Leader go through peer review, automated testing, and an automated deployment process that updates the production environment.

Performance Leader performs a risk management and treatment of all systems and applications on a regular basis.

8.4 Contingency Planning
Performance Leader maintains a comprehensive Incident Response Process that includes designated Disaster Recovery and Customer Communication plans.

We update our Incident Response Process at least annually.

We test all of our Incident Response Processes quarterly and throughly review our test results for gaps.

8.5 Security Policies
Performance Leader maintains a comprehensive set of documented Security Policies in our company wiki.

Our policies are designed in accordance with ISO 27001 and are updated on an ongoing basis and annually for gaps.

Customers on our Enterprise plan with special compliance requirements can request access to a more detailed overview of these policies from their Account Manager.

8.6 Background Checks
Performance Leader conducts Background Checks for all members of our team.

8.7 Security Training
Performance Leader maintains a comprehensive internal Security Training program for our team.

All Performance Leader employees receive security training upon joining the team and quarterly thereafter.

Members of Performance Leader's engineering team receive regular additional training that covers secure development practices, such as the OWASP Top Ten, in addition to our internal policies.

8.8 Incidence Response Policy
Performance Leader follows a CERN (Contain, Eradicate, Recover, and Notify) security incident response process.

Where a Security incident affects the Confidentiality of customer data Performance Leader will contact the registered Administrators of the Workspace.

Performance Leader maintains a public status page at https://status.performanceleader.com which reports on operational issues.

Anyone can subscribe to updates via email from the status page.

Performance Leader uses a Continuous Integration and Continuous Deployment model which means all of our code changes are committed to a Source Code Repository, reviewed, tested, and shipped to our customers in a rapid sequence.

Our rapid iteration development model significantly improves our response time to bugs, vulnerabilities, and security incidents.