Platform Security

Cloud Provider: Hosted exclusively on Google Cloud Platform (GCP), leveraging their ISO 27001 and SOC 2 compliant infrastructure.

Data Sovereignty: Customer data can be hosted in your desired geographical region, ensuring local data residency and compliance with regional laws.

Tenant Isolation: Each client operates within a dedicated, completely isolated cloud project, ensuring full physical segregation of your database and application layers from other tenants.

Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.

Data Ownership: Clients retain full ownership of their data. We only process data to deliver the service and collect high-level, anonymized metrics for platform improvement.

Custom Data Exports: If required, we can configure automated, scheduled data exports directly to your own preferred local servers or cloud storage (e.g., SharePoint).

Key Management: Encryption keys are securely governed using Google Cloud Secret Manager with strict access controls.

Single Sign-On (SSO): Native support for Microsoft Entra ID (Azure AD). PermitMe is a verified Microsoft Publisher.

Multi-Factor Authentication: Enforceable via your SSO provider, with alternative MFA options available for external contractors.

Role-Based Access (RBAC): Granular, configurable permission models ensuring least-privilege access across administrators, issuers, and end-users.

Immutable Audit Logging: Tamper-resistant, server-side audit trails for all critical actions (permit creation, edits, approvals, system access).

Penetration Testing: Comprehensive third-party vulnerability assessments conducted annually, supplemented by weekly automated scans.

Patch Management: Critical vulnerabilities are remediated and patched seamlessly, typically within 24 hours.