Security Policy

Last updated: February 28, 2026

1. Overview

Security is foundational to Performs360. Our platform handles sensitive performance evaluation data, and we have built our architecture around the principle of zero-trust and zero-access. This document outlines the technical and organizational measures we implement to protect your data.

2. Encryption Architecture

Performs360 uses a multi-layered envelope encryption scheme:

  • Encryption at rest: All evaluation responses are encrypted using AES-256-GCM before being written to the database.
  • Company-owned keys: Each company's data key is derived from an encryption passphrase set by the company administrator. The passphrase is processed through Argon2id to produce a master key, which encrypts the AES-256 data key.
  • Zero-access design: The platform operator (Performs360 team, including super admins) cannot decrypt evaluation data. The encryption passphrase is never transmitted to or stored on our servers in plaintext.
  • Encryption in transit: All network communication uses TLS 1.3.

3. Authentication & Access Control

  • Passwordless authentication: Company users authenticate via magic links (email-based, powered by NextAuth.js). No passwords are stored.
  • OTP verification for evaluations: External reviewers authenticate via 6-digit OTP codes sent to their registered email. OTPs are bcrypt-hashed, expire after 10 minutes, and lock out after 3 failed attempts (15-minute cooldown).
  • Role-based access control (RBAC): Four roles (Admin, HR, Manager, Member) with strict permission boundaries. Only Admin and HR can view decrypted evaluation reports.
  • Multi-tenant isolation: Every database query is scoped to the authenticated user's company. Cross-tenant data access is architecturally impossible.

4. Key Management

  • Company encryption passphrases are known only to the company administrator.
  • Recovery codes are generated during setup, shown once, and stored as bcrypt hashes.
  • Key rotation is supported — administrators can rotate data keys from the settings panel.
  • If both the passphrase and all recovery codes are lost, data is permanently unrecoverable. This is by design — it guarantees no backdoor exists.

5. Infrastructure Security

  • Hosted on Vercel with automatic DDoS protection and edge network distribution
  • PostgreSQL database hosted on Supabase/Neon with encrypted connections and automated backups
  • Environment variables and secrets managed securely — never committed to source control
  • CSRF protection via SameSite cookies and NextAuth.js built-in protections
  • Input validation on all API endpoints using Zod schemas

6. Rate Limiting

  • OTP sends: Maximum 5 per email per hour
  • OTP verification: Maximum 3 attempts per session (15-minute cooldown after)
  • API calls: 100 requests per minute per IP address
  • Authentication attempts are logged and monitored for anomalies

7. Audit Logging

All sensitive operations are logged with timestamps, user identifiers, and action types. This includes:

  • Decryption events (who viewed which evaluation data, when)
  • Role changes and user management actions
  • Encryption key rotation events
  • Super admin impersonation sessions (target company, duration, actions taken)

Audit logs are visible to company administrators only and cannot be modified or deleted.

8. Incident Response

In the event of a security incident, we will notify affected companies within 72 hours with details of the incident, data impacted (if any), and remediation steps. Due to our zero-access encryption architecture, a breach of our infrastructure does not expose evaluation response content.

9. Responsible Disclosure

If you discover a security vulnerability, please report it to security@performs360.com. We appreciate responsible disclosure and will work with you to address any legitimate findings promptly.