Security at Perplexity
Your security is our top priority
Perplexity is built with modern security principles.
SOC 2 Type 2 Certified
SOC 2 Type 2 certified by independent auditors— ensuring your information remains protected at all times.
GDPR and HIPAA Compliant
Your data is handled in compliance with GDPR and HIPAA, using transparent collection processes and giving you full control over your personal information.
PCI Compliant
Comprehensive payment security that meets the highest industry standards, protecting financial data throughout every transaction.
Protecting customer data
Access Control
Perplexity prioritizes the protection of customer data as a fundamental business imperative. Recognizing the existential threat posed by data breaches, we have implemented stringent measures to safeguard sensitive information. Our policy strictly prohibits the storage of customer data on company workstations, laptops, or removable media, ensuring that all such data is exclusively housed within secure production environments.
To further enhance security, Perplexity utilizes AWS IAM for managing access to our production environment. We employ Single Sign-On (SSO) authentication with robust Multi-Factor Authentication (MFA) and short-lived session credentials. Additionally, we enforce Just-In-Time (JIT) access controls, granting engineers temporary access to sensitive resources only when necessary, such as for debugging purposes. To maintain the highest standards of data protection, access privileges undergo thorough reviews at least quarterly, ensuring that our security measures remain up-to-date and effective.
Infrastructure Security
At Perplexity, we maintain strict separation between our production infrastructure and other environments like staging and testing.
This segregation ensures data isolation, optimizes performance, and facilitates security testing without risking our live services. We achieve this through separate AWS accounts, distinct network configurations, and environment-specific access controls.
For additional security, we leverage Cloudflare's robust services. Their global network provides comprehensive DDoS protection against both network and application-layer attacks. We also utilize Cloudflare's Web Application Firewall (WAF) to guard against common vulnerabilities, implement rate limiting to prevent abuse, and ensure all traffic is encrypted using SSL/TLS.
Additionally, we use Wiz, a cutting-edge cloud security platform, to continuously monitor and assess the security of our cloud environments. Wiz provides real-time visibility into potential vulnerabilities, misconfigurations, and compliance risks across all environments, ensuring proactive threat detection and remediation.
This multi-layered approach, combining environment segregation, Cloudflare's security features, and the advanced monitoring capabilities of Wiz, allows us to maintain high availability, ensure data integrity, and provide a secure platform for our users.
Endpoint Security
At Perplexity, we implement a robust endpoint security strategy to protect our organization and customer data. We utilize Mobile Device Management (MDM) to enforce secure device policies across all company-owned devices. This allows us to implement strong password policies, encrypt device storage, enable remote wiping capabilities, enforce regular software updates, and control app installations. Our MDM policies ensure that all devices accessing company resources meet our stringent security standards, reducing the risk of data breaches through compromised endpoints.
To further enhance our security posture, we have deployed Endpoint Detection and Response (EDR) solutions on all machines used within our organization. Our EDR system provides real-time monitoring and analysis of endpoint activity, advanced threat detection using behavioral analysis and machine learning, and rapid incident response capabilities. It also enables remote forensics to investigate and contain potential security incidents.
Monitoring & Risk Management
Threat Detection & Response
Perplexity prioritizes rapid threat detection and response by investing in advanced monitoring, observability, and alerting across our production environments. We leverage Panther SIEM to aggregate and analyze critical log sources, including AWS CloudTrail, application logs, and more. These logs provide comprehensive visibility into our infrastructure, enabling us to identify suspicious activity and potential threats quickly. Through the creation and continuous refinement of hundreds of tailored detections, we monitor for indicators of compromise (IOCs), anomalous behavior, and policy violations. This proactive approach ensures that we can detect even subtle signs of malicious activity.
Our security team is available 24/7/365 and provides around-the-clock monitoring and incident response. The team leverages automated workflows to triage alerts and respond to potential incidents with speed and precision. When a threat is detected, our detailed playbooks guide containment, remediation, and post-incident analysis, ensuring that threats are neutralized swiftly with minimal impact.
Bug Bounty and Vulnerability Disclosure Program
We are committed to building strong partnerships with the security research community. In addition to conducting annual third-party penetration tests, we actively collaborate with researchers through our private Bug Bounty program on BugCrowd and our public Vulnerability Disclosure Program (VDP). We encourage you to review our VDP to understand its scope and learn how to report potential vulnerabilities.
Third-Party Vendor Review
At Perplexity, we assess third-party sub-processors and vendors using a risk-based framework to ensure their privacy, security, and confidentiality practices align with our commitment to safeguarding customer data and maintaining a highly available service.
Vendors are reviewed annually based on factors such as the sensitivity of data handled, the criticality of our reliance on their services, and their overall reputation. A current list of our sub-processors can be found on our Trust Center.
