How we handle your data.
Peak AI is built and operated by Pearl Fibers. Here's what we collect, where it lives, how it's protected, and what we never do with it.
What we never do
- We don't train on your prompts. Conversation content and API payloads are not used to fine-tune any model — ours or anyone else's.
- We don't sell or share your data. No advertising networks, no third-party analytics in the chat or API surface.
- We don't log raw API keys. Only an irreversible SHA-256 hash and a short visible prefix (
sk-peak-XXXXXXXX…) are stored.
Where your data lives
Peak AI runs on Pearl Fibers infrastructure. Database, application servers, file cache, and audit logs all live in our primary region. Backups are encrypted and kept in the same region. We do not currently mirror customer data to providers outside our control.
Encryption
- In transit: TLS 1.2+ on every endpoint —
ai.pearlfibers.com, the gateway at/v1/*, and all SSO traffic toauth.pearlfibers.com. - At rest: database volumes are encrypted at the storage layer. Provider credentials and other secrets are wrapped with an application-layer cipher on top of disk encryption.
- API keys: stored as SHA-256 hashes. The plaintext key is shown once at creation and never recoverable afterward.
Authentication
Sign-in is delegated to Pearl Fibers SSO (OpenID Connect, PKCE, RS256-signed ID tokens). Peak AI never sees your password. Sessions inherit the lifetime of your SSO session; signing out of Pearl Fibers signs you out of Peak AI.
For API access, bearer keys are scoped to one workspace and can be revoked from Settings in one click. Admins can also force-revoke any key from the admin console.
Rate limits & spending controls
Every API key has per-minute request and token limits, defaulting to 60 RPM / 200K TPM. Workspace admins can set a hard monthly spending cap (X-Usage-Cap-Micros); once spend exceeds it, the gateway returns 402 usage_cap_exceeded until the cap is raised or the month rolls over. This is the kill switch for a runaway integration.
Audit logging
Every state change on the API surface is recorded in an append-only audit log:
- Access requests, approvals, and rejections
- Key creation and revocation
- Rate-limit overrides and usage-cap changes
- Rate-limit hits and cap-triggered rejections
Admins can filter the log by user_sub from /admin/api-requests → Audit log.
Retention
- Conversations & messages: kept until you delete them from the chat UI. Deletion is immediate and cascades through database backups within 30 days.
- Per-request API usage events: kept for 90 days for dashboard accuracy, then summarized into daily rollups and pruned.
- Daily usage rollups: kept indefinitely for billing history.
- Audit log: kept indefinitely for compliance.
Vulnerability reporting
Found a security issue? Email security@pearlfibers.com with reproduction steps. We'll acknowledge within one business day and aim to fix critical issues within seven days. Please don't publicly disclose until we've had a chance to ship the fix.