Perimeter logo
Perimeter
External attack surface management
Security

Security & Responsible Disclosure

We take the security of the Perimeter platform seriously. This page describes how we approach security internally and how to report a vulnerability to us responsibly.

Our security practices

  • All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent.
  • All infrastructure is hosted on Google Cloud within the European Union. No data leaves the EEA.
  • Access to production systems is restricted to authorised personnel using multi-factor authentication and least-privilege access controls.
  • We conduct periodic security reviews of our platform and infrastructure.
  • Dependency and vulnerability scanning is integrated into our development pipeline.
  • We are working toward ISO 27001 alignment and apply its controls as a framework for our internal security programme.

Enterprise customers requiring more detailed information for security due diligence or vendor assessments can contact security@useperimeter.com.

Responsible disclosure policy

If you discover a security vulnerability in the Perimeter platform, we ask you to report it to us responsibly. We are grateful to the security community for helping keep our platform and customers safe.

Please report vulnerabilities to security@useperimeter.com. Include as much detail as possible: a description of the vulnerability, steps to reproduce it, the potential impact, and any supporting evidence such as screenshots, logs, or proof-of-concept code.

What we ask of you

  • Report the vulnerability to us privately before any public disclosure. We ask for a reasonable amount of time to investigate and fix the issue — we aim to acknowledge reports within 5 business days and resolve confirmed issues within 90 days.
  • Do not access, modify, or delete data that does not belong to you.
  • Do not perform attacks that could affect service availability for other users, such as denial-of-service attacks.
  • Do not use social engineering, phishing, or physical security methods against our team or infrastructure.

What you can expect from us

  • Acknowledgement of your report within 5 business days.
  • Regular updates on our progress and estimated resolution timeline.
  • No legal action against researchers who act in good faith in accordance with this policy.
  • Credit in our acknowledgements (if you wish) once the issue is resolved and disclosed.

Scope

This policy applies to security vulnerabilities in:

  • The Perimeter platform at app.useperimeter.com
  • This website at useperimeter.com
  • Any APIs or services operated by Swavvy AB under the Perimeter brand

This policy does not apply to third-party services or libraries outside our direct control. Please report those issues to the relevant vendors.

Out of scope

  • Vulnerabilities requiring physical access to a user's device.
  • Social engineering attacks against users or staff.
  • Attacks requiring a compromised user account.
  • Reports from automated scanners without manual verification.
  • Denial-of-service attacks.
  • Missing security headers where the risk is theoretical and demonstrably low-impact.