Trust

Certifications

perpelin.io holds the following active certifications: AWS Solutions Architect - Professional, Kubernetes Administrator (CKA), and HashiCorp Terraform Associate. Certifications are renewed on the issuing body's standard cadence.

For engagements where vendor-specific certifications outside that set are required (Azure Solutions Architect Expert, Google Cloud Professional Cloud Architect, etc.), we'll disclose any gap up front and recommend a partner or in-house resource where appropriate.

Compliance posture

Engagements ship to compliance-aware engineering practice. Source code goes through hardened build pipelines with signed releases. Production access is federated, time-bounded, and audit-trailed end to end. Configuration changes leave a reviewable evidence trail in the same repository as the infrastructure code, not a separate document pile that nobody updates.

SOC 2 Type 2, ISO 27001, PCI-DSS, PSD2, and GDPR have all shaped engagements perpelin.io has worked on or contributed to. Controls map to engineering practice the team should already be doing (code review, infrastructure as code, signed artifacts, scoped credentials), not the other way around.

For regulated EU engagements that involve a financial-services supervisor, perpelin.io works with your legal and compliance counsel to ensure the architecture and audit trail meet the supervisor's expectations. Compliance-aware engineering is the deliverable; legal sign-off is yours.

perpelin.io itself is not currently a directly audited entity at current engagement size. The audit posture of the firm and the audit posture of work delivered into your environment are separate questions. The latter is what controls actually shape, and that is where the engineering effort goes.

What we sign

Standard engagement paperwork: a Master Services Agreement (MSA), a Statement of Work (SOW) per engagement, a Data Processing Agreement (DPA) where personal data is in scope, and a Non-Disclosure Agreement (NDA) before any technical detail is shared. The contact form's NDA-checkbox triggers an NDA before our first technical call.

We sign the client's paperwork by default and only push back where the language is operationally unworkable (uncapped indemnities, unrealistic SLAs on a consulting deliverable, IP terms that prevent us from reusing patterns across engagements). Disagreements get resolved in writing before the engagement begins.

Production access posture

perpelin.io does not hold long-lived production credentials by default. Access is granted per-engagement, time-bounded, scoped to the minimum necessary, audit-trailed end-to-end, and revoked at engagement close or at the client's discretion at any time.

Preferred access models, in order: AWS IAM Identity Center / Azure Entra federation with the client as the identity provider; SSH/kubectl access via a client-controlled bastion or just-in-time access tool; named-user IAM with MFA when federation isn't available. Shared root credentials are never accepted.

All actions in client environments are logged through the client's standard audit trail. We don't operate a parallel logging stack on client infrastructure.

Subprocessors

perpelin.io uses a minimal set of standard third-party services for site operations and engagement intake: hosting and DNS, the database that stores contact-form submissions, intro-call booking, and transactional email. The full named list is provided under the Data Processing Agreement (DPA) signed before any engagement that involves personal data, and on request to [email protected] ahead of that.

None of these process client data from your engagements. Engagement work happens inside the client's own cloud accounts and tools; no customer data flows through perpelin.io infrastructure.

Material subprocessor changes that affect existing engagements are communicated directly with at least 30 days' notice.

Contact

Trust and security questions: [email protected]. For active engagements, your engagement-specific Slack channel or shared workspace is the fastest path.