Perforce Security & Compliance Policies

Perforce develops software that can be accessed via the internet (Software-as-a-Service – SaaS) or that can be directly installed on systems owned by our customers (commonly called on-prem installed software).

A central part of what we do is ensure that our applications are free from defects and are securely designed. All our developed code undergoes robust static analysis and is scanned regularly for vulnerabilities. We keep our development environments separate from our production environments, and tightly control who can access our systems and codebases.

In addition, our applications are regularly tested by third parties to ensure that they do not have vulnerabilities and that they are operating as designed and expected.

In general, Perforce Software SaaS tools are hosted at Amazon, Google, and Microsoft datacenters, running on Amazon Web Service, Google Cloud Platform, and Microsoft Azure Cloud services.

These data centers, which are located in the United States and the European Union, provide robust physical security in addition to state-of-the-art fire suppression, redundant power and HVAC, and biometric access controls with stringent least privilege restrictions. Where data centers are employed to host physical equipment, potent tier 3 (or higher) colocation facilities are employed that provide similarly secure protections.

Perforce regularly replaces their virtual systems with new, patched ones, and works to maintain system consistency using a combination of configuration management, up-to-date images, and continuous deployment. We are constantly working to update our systems to protect your data.

A centrally managed and administered single sign-on solution (SSO) and a multi-factor authentication (MFA) are used wherever possible to authenticate Perforce employees. In addition, Role-Based Access Controls (RBAC) have been implemented to grant users authorization to access resources only when appropriate for their business needs (and no more than what is necessary) based upon their role.

By design, Perforce collects the necessary data for us to effectively do business. Our tools enable customers to store their important data. Therefore, we take the necessary steps to ensure that data is protected when travelling across networks (encrypted with TLS 1.2 or better), when stored (encrypted databases), and ensure that our customers’ data is stored in the fewest number of locations necessary. When not needed anymore, the data is securely deleted.

Our network infrastructure is used to monitor and control traffic to ensure that only authorized connections are allowed. When traversing outside and accessing public networks, data is encrypted with industry-accepted encryption mechanisms to prevent eavesdroppers from accessing the data.

When accessing Perforce networks, systems, and services from outside our offices, robust authentication and encryption mechanisms that leverage industry-leading VPN and authentication technologies are used to ensure that security is maintained.

A critical component to Perforce infrastructure is logging, and we’re monitoring our environments to identify any misuse or problems. Logging is used extensively for application troubleshooting and investigating issues, as well as ensuring that everything is functioning as expected. Logs are streamed in real­time and over secure channels to a centralized logging and monitoring service.

At the core of our resilience to the unexpected is having a plan, practicing it, and keeping it up to date. Our first step to prepare for the unexpected is to build our systems and applications with a reasonable level of resiliency. If something does happen, we have a comprehensive communication process to ensure that we are able to recover quickly, securely, and accurately. At the core of this process is ensuring that our people and our customers are safe, before moving on to effectively restore services.