Security & Trust

Perch is a multi-tenant cloud application that holds workforce scheduling data — staff rosters, qualifications, schedules, and timestamps. We treat that data with the care it deserves. This page is a transparent description of how we protect it. We’re happy to answer any questions at security@onperch.co.

Perch runs entirely on enterprise-grade, independently certified infrastructure — SOC 2-audited providers (Clerk, Convex, Stripe, Vercel) — with encryption in transit and at rest, strict tenant isolation, and least-privilege access enforced on every request. Perch is not yet independently SOC 2 certified; we inherit and rely on the SOC 2 Type II controls of the providers that store and process your data.

Perch is a single-tenant-per-organization data model running on a shared multi-tenant backend. Every customer organization (company, venue, staff record, schedule, configuration) is logically isolated. Server-side authorization checks gate every read and write by (authenticated user, organization, venue) — not just by authentication state.

• Backend: Convex serverless platform. Strongly typed mutations and queries; no direct DB access from clients.
• Hosting: Vercel (US regions). TLS termination and DDoS mitigation are provided by Vercel at the edge. DNS is managed via Cloudflare.
• Authentication: Clerk. Email/password, Google, and Microsoft sign-in today, with additional methods (passwordless email, SAML SSO) on our roadmap.
• Payments: Stripe. Perch never sees, stores, or transmits raw card data; the card iframe is loaded directly from Stripe.
• Email: Resend. Transactional only; no marketing list shared with sub-processors.
• Monitoring: Sentry for application errors and performance; Better Stack for uptime.

• In transit: TLS 1.2 or higher on every connection to Perch and between Perch and its sub-processors. HSTS enforced.
• At rest: Customer data is encrypted at rest by Convex (our database provider) using industry-standard encryption. Email content held by Resend, payment data held by Stripe, and error data held by Sentry are encrypted at rest by those providers.

• Multi-factor authentication. Available via Clerk for every account (authenticator apps and passkeys). Additional factors and organization-level MFA enforcement are on our roadmap.
• Single sign-on (SAML / OIDC). On our roadmap. Contact security@onperch.co for enterprise inquiries.
• Role-based access control. Owner, Admin, Manager, Scheduler, and Member roles, with per-venue scoping for Manager and Scheduler. Authorization is enforced server-side; client-side UI gating is for UX only.
• Session management. Sessions managed by Clerk with revocation, idle timeout, and per-session device records.

• What we collect is documented in detail in our Privacy Policy. In short: account data (name, email, profile), billing data (last-four of card via Stripe), and customer-uploaded staff records (name, schedule, optional contact info, qualifications).
• What we do not use it for. We do not sell personal data. We do not use Customer Data to train any artificial-intelligence or machine-learning models — neither ours nor third parties’.
• Retention. Customer Data is retained for the life of the subscription, plus up to 90 days post-cancellation to allow recovery or export. Billing and tax records are retained for up to 7 years. See the Privacy Policy for full detail.
• Deletion. Customer-initiated deletion is supported via the in-app export and account-closure flow. You can request written confirmation that your data has been deleted.
• Backups. Convex maintains automated backups of the database. Backup encryption matches production encryption at rest.

• Redundant, managed infrastructure. Perch runs on serverless, edge-distributed providers (Convex for data, Vercel for hosting) rather than self-managed servers. There is no single host to fail; provider failover is automatic and managed.
• Backups. Convex maintains automated backups of the production database, encrypted at rest to the same standard as production. Our target recovery point (RPO) is 24 hours or better.
• Recovery. For most incidents, recovery is handled by our providers’ high-availability and failover guarantees (typically minutes). For data-level incidents, we restore from backup with a target recovery time (RTO) of 24 hours, prioritized by severity.
• Availability commitment. Customers under an applicable agreement receive a 99.9% uptime commitment with service credits — see our Service Level Agreement.
• Continuity testing. Formalized, scheduled restore/failover drills are on our roadmap; we are transparent that these are not yet on a fixed cadence.

• Application monitoring. Sentry captures server-side and client-side errors, performance regressions, and anomalous patterns in real time.
• Uptime monitoring. Better Stack pings the public endpoints every 3 minutes; alerts route to the on-call channel.
• Audit logging. All schedule publishes are permanently recorded with the user, timestamp, and full snapshot. Per-mutation audit logs (every staff edit, position change, role assignment) are on our roadmap.
• Incident response. If a security incident is confirmed, Perch will (a) contain the incident, (b) preserve forensic data, (c) notify affected customers and supervisory authorities within 72 hours where required, and (d) provide a post-incident report.
• Vulnerability disclosure. Email security@onperch.co with a description and reproduction steps. We commit to acknowledge within 72 hours and to remediate or respond substantively within a reasonable period commensurate with the severity. Good-faith research is welcome; please do not exploit, exfiltrate, or disrupt other customers’ data.

• Least-privilege production access. Production systems and customer data are accessible only to authorized Perch personnel who need it to operate and support the service. Access is granted on a least-privilege basis and revoked when no longer required.
• MFA on every privileged account. All administrative and infrastructure accounts (Clerk, Convex, Stripe, Vercel, Cloudflare, source control, and email) are protected by multi-factor authentication. No production system is reachable by a shared or password-only credential.
• No standing third-party access. No outside party has standing access to production data. Sub-processors receive only the data necessary to perform their function (listed below), under contract.
• Confidentiality. Personnel with access to customer data are bound by confidentiality obligations covering that data.
• Secure development. Changes are version-controlled and reviewed before release; secrets live in managed environment configuration, never in source. Server-side authorization is enforced on every read and write, scoped by user, organization, and venue.

Perch relies on the following sub-processors. Each is bound by contract (including Standard Contractual Clauses where applicable for cross-border transfers) to protect personal data in line with applicable law. Customers are notified at least 30 days before any material change to this list.

• SOC 2 Type II. Perch is not independently SOC 2 certified today. All core infrastructure providers (Clerk, Convex, Stripe, Vercel) are SOC 2 Type II attested, and their reports are available to support your due diligence.
• GDPR / UK GDPR. The Service is not currently offered to customers in the EU/EEA/UK during the Beta period. See Data Processing Agreement for the contractual position.
• CCPA / CPRA. California residents have the rights described in our Privacy Policy.
• Penetration testing. We welcome third-party security testing and will discuss a penetration test as part of enterprise engagements.
• HIPAA / PCI scope. Perch is not a HIPAA Business Associate. Card data is held entirely by Stripe; Perch is out of PCI scope.

Security disclosures and DPA negotiations: security@onperch.co. General privacy inquiries: privacy@onperch.co.