Security

How we handle your data.

Peak AI is built and operated by Pearl Fibers. Here's what we collect, where it lives, how it's protected, and what we never do with it.

What we never do

Where your data lives

Peak AI runs on Pearl Fibers infrastructure. Database, application servers, file cache, and audit logs all live in our primary region. Backups are encrypted and kept in the same region. We do not currently mirror customer data to providers outside our control.

Encryption

Authentication

Sign-in is delegated to Pearl Fibers SSO (OpenID Connect, PKCE, RS256-signed ID tokens). Peak AI never sees your password. Sessions inherit the lifetime of your SSO session; signing out of Pearl Fibers signs you out of Peak AI.

For API access, bearer keys are scoped to one workspace and can be revoked from Settings in one click. Admins can also force-revoke any key from the admin console.

Rate limits & spending controls

Every API key has per-minute request and token limits, defaulting to 60 RPM / 200K TPM. Workspace admins can set a hard monthly spending cap (X-Usage-Cap-Micros); once spend exceeds it, the gateway returns 402 usage_cap_exceeded until the cap is raised or the month rolls over. This is the kill switch for a runaway integration.

Audit logging

Every state change on the API surface is recorded in an append-only audit log:

Admins can filter the log by user_sub from /admin/api-requests → Audit log.

Retention

Vulnerability reporting

Found a security issue? Email security@pearlfibers.com with reproduction steps. We'll acknowledge within one business day and aim to fix critical issues within seven days. Please don't publicly disclose until we've had a chance to ship the fix.

Need a deeper review? If you're evaluating Peak AI for a regulated workload, reach out and we'll share more detail under NDA.