Security Overview

Effective Date: January 13, 2026

At Peppercrest LLC ("Peppercrest," "we," "us," or "our"), security is foundational to how we build and operate our services. This document provides an overview of the security measures we implement to protect your data.

1. Our Security Principles

We approach security with the following principles:

  • Defense in depth: Multiple layers of security controls throughout our systems
  • Least privilege: Access limited to what's necessary for each role or function
  • Encryption by default: Data protected in transit and at rest
  • Continuous improvement: Regular review and enhancement of security practices

2. Infrastructure Security

2.1 Cloud Infrastructure

Our services are hosted on enterprise-grade cloud infrastructure providers that maintain industry-leading security certifications (SOC 2, ISO 27001). We leverage their physical security, network protection, and infrastructure hardening.

2.2 Network Security

  • Traffic encrypted in transit using TLS 1.2 or higher
  • Web application firewalls to protect against common attacks
  • DDoS protection and mitigation
  • Network segmentation to isolate systems and limit blast radius

2.3 System Hardening

  • Regular patching and updates
  • Minimal attack surface through principle of least functionality
  • Secure configuration baselines

3. Data Protection

3.1 Encryption

  • In transit: All data transmitted over networks is encrypted using TLS
  • At rest: Sensitive data is encrypted at rest using AES-256 or equivalent

3.2 Data Isolation

For our software products, client data is logically isolated. Each client's data is kept separate and is not accessible to other clients. This isolation is enforced at the application and database levels.

3.3 Data Handling

  • Data classification based on sensitivity
  • Secure deletion when data is no longer needed
  • Backups encrypted and stored securely

4. Access Control

4.1 Authentication

  • Strong password requirements
  • Multi-factor authentication available for user accounts
  • Secure session management with appropriate timeouts

4.2 Authorization

  • Role-based access control (RBAC)
  • Principle of least privilege for all access
  • Regular access reviews

4.3 Internal Access

  • Employee access to production systems limited and logged
  • Background checks for employees with access to sensitive data
  • Access revoked promptly upon role change or departure

5. Application Security

5.1 Secure Development

  • Security considered throughout the development lifecycle
  • Code reviews with security focus
  • Dependency scanning for known vulnerabilities
  • Secure coding practices following OWASP guidelines

5.2 Testing

  • Regular security testing and vulnerability assessments
  • Penetration testing by qualified professionals
  • Prompt remediation of identified issues

6. AI and Third-Party Services

6.1 AI Provider Security

Our products use third-party AI services (such as Anthropic and OpenAI). We select providers with strong security practices and appropriate data handling policies. Key considerations include:

  • Data not used to train general models
  • Appropriate data retention and deletion
  • Strong security certifications and practices

6.2 Vendor Management

We evaluate the security practices of third-party vendors and require appropriate security measures in our agreements.

7. Incident Response

7.1 Monitoring

  • Continuous monitoring of systems and applications
  • Logging and alerting for security-relevant events
  • Regular review of logs and alerts

7.2 Response Process

We maintain an incident response process that includes:

  • Defined roles and responsibilities
  • Detection and analysis procedures
  • Containment, eradication, and recovery steps
  • Post-incident review and improvement

7.3 Breach Notification

In the event of a data breach affecting your information, we will notify you in accordance with applicable laws and our contractual obligations.

8. Business Continuity

  • Regular backups with tested recovery procedures
  • Redundancy for critical systems
  • Disaster recovery planning

9. Compliance

We design our security controls to align with industry standards and best practices. Specific compliance requirements may be addressed in client agreements based on your regulatory environment.

10. Security Questions

If you have questions about our security practices or need additional information for your security review, please contact us at hello@peppercrest.com.

For enterprise clients, we can provide additional documentation and participate in security questionnaires upon request.

11. Reporting Security Issues

If you discover a security vulnerability in our services, please report it responsibly by emailing hello@peppercrest.com with details of the issue. We appreciate your help in keeping our services secure and will work with you to address valid security concerns.

Contact Us

If you have questions about this policy, please contact us at hello@peppercrest.com