Security
Security overview
Performance Vue is built entirely on Amazon Web Services in the US East (N. Virginia) region (us-east-1).
- Encryption in transit. All traffic between your browser and the service — and between the service and the third-party systems you connect — is encrypted with TLS 1.2 or higher. HTTPS is enforced everywhere; plain HTTP is not served.
- Encryption at rest. Customer data is encrypted at rest across every storage layer: the relational database (Amazon RDS PostgreSQL), the time-series metrics store (Amazon DynamoDB), and object storage (Amazon S3 server-side encryption).
- Tenant isolation at three layers. Every workspace is isolated by design, not by convention: (1) tenant identity is derived from the signed JWT issued at login — never from client-supplied parameters; (2) PostgreSQL row-level security policies are enforced at the database layer, so queries physically cannot return another tenant's rows; (3) time-series data in DynamoDB is scoped by tenant-prefixed partition keys on every read and write.
- Secrets management. API keys, OAuth tokens, and database credentials live in AWS Secrets Manager. There are zero credentials in source code.
Identity & access
- Authentication is handled by AWS Cognito. Performance Vue never stores raw passwords.
- Multi-factor authentication via TOTP authenticator apps (Google Authenticator, 1Password, Authy, and similar) is available to all users.
- Role-based access control. Every workspace member is an Owner, Admin, or Viewer, and permissions are enforced server-side on every request.
- SAML single sign-on for enterprise plans is on our near-term roadmap. If SSO is a requirement for your organization, contact us — enterprise requirements directly shape our roadmap ordering.
Network & monitoring
- AWS WAF protects both the application edge (CloudFront) and the API layer (API Gateway) with AWS managed rule sets — common threats, known-bad inputs, IP reputation — plus rate limiting.
- AWS CloudTrail maintains a tamper-evident audit trail of all infrastructure-level API activity, with log file validation enabled.
- Amazon GuardDuty provides continuous threat detection across the production account.
- Security headers — including HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — are applied to application and marketing-site responses.
- Automated monitoring. Client-side application errors are reported and alerted on automatically, and a data-freshness watchdog alerts us when a connected data source stops syncing — so stale data is treated as an incident, not a surprise.
Access from restricted networks
If your organization uses a secure web gateway, forward proxy, or domain allowlisting, allow the following domains to use Performance Vue:
| Domain | Purpose |
|---|---|
performancevue.com |
Marketing site, plan checkout entry point |
app.performancevue.com |
Main application |
<your-workspace>.performancevue.com |
Your dedicated workspace subdomain (e.g. acme.performancevue.com) |
jkxnayi6p4.execute-api.us-east-1.amazonaws.com |
Performance Vue API (Amazon API Gateway) |
cognito-idp.us-east-1.amazonaws.com |
Authentication (AWS Cognito) |
cdnjs.cloudflare.com |
JavaScript libraries (charting, QR codes) |
js.stripe.com · checkout.stripe.com |
Billing pages only (Stripe payments) |
For enterprise customers whose security policy prohibits traffic to public API endpoints, private API connectivity over AWS PrivateLink — keeping Performance Vue API traffic on the AWS backbone, inside your VPC, off the public internet — is available on request. Contact info@performancevue.com to scope it for your environment.
Subprocessors
We use a small number of vendors to operate the service. Each receives only the data necessary for its function:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting — compute, database, storage, authentication, email delivery | United States (us-east-1) |
| Stripe, Inc. | Payment processing — billing details only; Stripe never receives KPI or connector data | United States |
| Netlify, Inc. | Marketing site hosting (performancevue.com only — no application data) | United States |
| Google (Google Analytics) | Marketing-site analytics — loads only with your explicit consent; never runs inside the application | United States |
| Airtable, Inc. | Lead and feedback intake — prospective-customer contact details and in-app feedback submissions | United States |
Compliance & practices
- Legal terms. Our Terms of Service and Privacy Policy describe our commitments in full, including data ownership, retention, and your privacy rights.
- GDPR. For customers subject to the GDPR, Article 28 processor terms and a Data Processing Agreement are available on request — see our DPA or email dpa@performancevue.com.
- SOC 2. We align our security controls to the SOC 2 trust services criteria; a formal third-party audit is on our roadmap. We do not currently hold a SOC 2 attestation, and we will not claim one until an independent auditor has issued it.
- Security questionnaires. We answer written security questionnaires for prospective and current customers — send yours to info@performancevue.com.
- Responsible disclosure. If you believe you have found a security vulnerability in Performance Vue, please report it to info@performancevue.com. We will acknowledge your report promptly, investigate, and keep you informed. We ask that you give us a reasonable opportunity to remediate before public disclosure, and we will not pursue action against good-faith research conducted within these guidelines.