Perforce Security & Compliance

• Information Security and AI Management System (ISMS/AIMS): Our ISMS and AIMS govern enterprise policies, exception handling, and program operations, including incident response and vulnerability management.  
• Risk management: We track risks in a centralized register and drive remediation through owners, timelines, and board‑level visibility. 

• SOC 2 Type 2 (security, availability, confidentiality): The latest attestation for selecting cloud services is available under NDA via our Customer Security Portal (bridge letters provided as needed). 
• ISO 27001: We are executing our ISO/IEC 27001 program and publish certificates for covered business units upon issuance and available on our Trust Center. 
• AI Compliance with ISO 42001: CERTIFICATES EXPECTED JANUARY 2026
• Vendor infrastructure certifications. Our hosting and colocation partners maintain ISO 27001/22301/9001 and SOC attestations. 

• Encryption: TLS 1.2+ for data in transit; encryption at rest for customer data stores; options to integrate with customer identity providers and control application‑level access. 
• Identity & Access: Role‑based access control (RBAC), SSO/SAML/OIDC for supported products, least‑privilege administration, and periodic access reviews. 
• Backups & Resilience: Regular backups, integrity validation, and service‑level recovery plans aligned to product RTO/RPO targets. 
• Privacy: Our DPA incorporates SCCs (and UK addenda where applicable), details subprocessors, and clarifies roles and responsibilities for personal data. 

• Threat modeling & design reviews for significant architectural changes (e.g., SSO integrations).  
• Code security with static, dependency, and container scanning; build integrity controls.  
• Penetration testing across applications and cloud services with remediation tracking to closure.  
• CVE & coordinated disclosure for product issues to ensure customers can assess and remediate quickly. 

• Continuous scanning and intake: We triage findings from scanners, pen tests, third‑party advisories, and coordinated disclosures.
• Risk‑based remediation: Prioritization considers exploitability and business impact; critical issues follow accelerated SLAs. 
• Customer communication: For impactful product vulnerabilities, we publish advisories and remediation steps through official channels and our portal.  

Report a security or AI concern or vulnerability: [email protected]. Please include product, version, and reproduction details. We practice coordinated disclosure and appreciate responsible research. 

• Security Incident Response: Trained responders follow documented procedures for identification, containment, eradication, and recovery. 
• Notification: We notify affected customers consistent with contractual and legal requirements and conduct post‑incident reviews to improve controls. 
• Escalation & Governance: Executive and legal leadership are engaged for major incidents, with evidence handling procedures and law‑enforcement coordination as appropriate. 

• Employee AI acceptable use policy outlines tool approval process, data handling restrictions, and review paths. 
• AI in products adheres to principles for fairness, transparency, and privacy. Where third‑party AI is used, vendors are reviewed against our security and compliance standards. 
• Alignment with emerging standards (e.g., ISO 42001, EU AI Act) as this landscape evolves.
• Learn more about Perforce AI products on our GenAI page.