Built with the assumption that your customer data is sacred.
ISO/IEC 27001 aligned controls, GDPR-ready EU residency, and PCI-DSS scope handled by our payments partner — so card data never reaches a Persevo server. The hard parts of running a payments-grade service in Europe, minimised by design.
Three frameworks, none of them theatre.
The certifications and postures that matter — explained at the level that helps you scope your own assessment, not as marketing checkboxes.
ISO/IEC 27001 aligned
Our security programme follows the ISO/IEC 27001 control framework — change management, access reviews, vendor due diligence, incident response and asset inventory, on paper and audited. Our parent operating company holds the certification.
PCI-DSS through a partner
Cardholder data never touches Persevo. Cards are tokenised at the shopper's browser by our PCI-compliant payments partner; we only ever see the token. This keeps your PCI scope minimal and ours intact.
GDPR-ready
EU residency by default. Documented data subject rights workflow — access, rectification, erasure, portability. A Data Processing Agreement is available on request before any data is exchanged.
What we do, day to day.
Engineering practices that don't make the marketing site, but show up in every audit.
- All traffic over TLS 1.2+
- Secrets never logged
- Data hosted in the EU (Germany)
- Encrypted at rest and in transit
- Principle of least privilege for internal access
- Logging and audit trails for admin actions
Found something? Tell us.
If you're a security researcher and you've found a vulnerability, please email security@persevo.app. We don't run a public bug bounty, but we take responsible disclosure seriously: we acknowledge reports within 5 business days and keep you updated through remediation.
Encrypted communication preferred. A PGP key is available on request.
DPA and subprocessors.
The legal and operational picture you’ll need to take Persevo through your own procurement.
Need a DPA?
We sign a Data Processing Agreement before any production data is exchanged. Request a copy at privacy@persevo.app or reference our standing terms at /legal/dpa.
Subprocessors
| Purpose | Subprocessor | Region |
|---|---|---|
Cloud hosting (EU) Compute, network, storage | Available under DPA | EU |
Payments partner (EU) Card processing, tokenisation | Available under DPA | EU |
Transactional email (EU) Delivery of confirmation / receipt emails | Available under DPA | EU |
Frontend hosting (EU) Edge delivery of marketing pages | Available under DPA | EU |
Monitoring & error reporting (EU) Application observability | Available under DPA | EU |
Customer support tooling (EU) Inbound email queue | Available under DPA | EU |
The current named subprocessor list is shared under DPA. We notify customers in advance of any material change.
Talk to our security team.
Whether it's a procurement questionnaire, a disclosure, or a question about EU residency — the security inbox is monitored.