Built for factory floors. Audited for the board room.

Certifications

• SOC 2 Type II — annual audit, report available under NDA to Scale-tier customers. Current report covers July 2024 – June 2025, renewal in progress.
• GDPR DPA — we sign the DPA before data goes anywhere near the EU. Standard Contractual Clauses for US ↔ EU data flows.
• CCPA — aligned. California consumers can request access, deletion, or opt-out via privacy@cloudpeaksystems.com.
• PCI-DSS — we don't store card data. Stripe handles the PCI boundary on our behalf.
• HIPAA — not in scope. CloudPeak does not process PHI.

Data residency

US customers run on AWS us-east-2 (Ohio) by default with multi-AZ failover. EU customers provisioned on AWS eu-west-1 (Ireland). UAE customers can be provisioned on AWS me-south-1 (Bahrain) for data-sovereignty reasons. Residency is picked at onboarding and is immutable.

Encryption

In transit: TLS 1.2+ everywhere. At rest: AES-256 on RDS with KMS-managed keys. Application secrets via AWS Secrets Manager. We do not hold customer-encryption keys — KMS customer-managed keys available on Scale.

Audit log

Every create, update, delete, and administrative action writes an append-only audit log entry with actor, timestamp, resource, IP, and before/after diff. 7-year retention by default. Exportable to customer S3.

Incident response

On-call rotation across Austin + Lahore + Dubai — the sun never sets on CloudPeak on-call. Commitment: initial response within 30 minutes, public status update within 90 minutes, full post-mortem within 5 business days.

Penetration testing

Annual third-party pen test by Bishop Fox. Most recent test: February 2026. All criticals and highs remediated; report summary available under NDA.

Responsible disclosure

Email security@cloudpeaksystems.com. We respond within 24 hours and we pay a bounty — $500 for valid medium, $2,500 for high, $10,000 for critical. We will not pursue legal action against good-faith researchers.