Security built into every research project.

Peekator is built on a security-first architecture designed to protect the sensitive research data our customers collect, analyse and store. This page describes the controls, processes and practices we use to maintain the confidentiality, integrity and availability of that data.

Our security programme is overseen at the leadership level and covers infrastructure hardening, data encryption, access management, incident response, vulnerability management and regulatory compliance.

Peekator's platform runs on modern cloud infrastructure hosted within the United Kingdom and European Economic Area. Our hosting providers maintain ISO 27001, SOC 2 Type II and other industry-recognised certifications.

Network isolation

Production environments are isolated from development and testing systems through separate networks and access controls. Public-facing services sit behind managed firewalls and load balancers with automatic threat detection.

Availability

We deploy across multiple availability zones to maintain resilience against hardware failure and regional outages. Critical services are configured for automatic failover with health checks and traffic routing.

Encryption in transit

All data transmitted between users and Peekator services is encrypted using TLS 1.2 or higher. We enforce strong cipher suites and regularly review our TLS configuration against current best practices.

Encryption at rest

Databases, file storage and backups are encrypted at rest using AES-256 or equivalent encryption standards. Encryption keys are managed through our cloud provider's key management service with strict access controls and audit logging.

Research data

Survey responses, interview transcripts, uploaded files and analysis outputs are stored encrypted at rest and transmitted only over secure channels. We do not store card payment details — these are processed directly by our payment provider.

Authentication

User accounts are protected by password-based authentication with enforced complexity requirements. Multi-factor authentication (MFA) is available for all accounts and required for administrator roles.

Role-based access

Peekator implements role-based access control within each workspace. Administrators can define who can view, edit, publish or analyse research projects. Permissions are enforced at both the application and database levels.

Principle of least privilege

Peekator personnel are granted access to customer data only when strictly necessary for support, security or legal purposes. Access is logged, time-limited and subject to manager approval.

Recording and consent

For voice or video AI interviews, participants are clearly informed before recording begins and must provide explicit consent. Participants can end the session at any time. Text-based AI interviews capture written responses only.

Transcript processing

Speech-to-text processing is performed by certified sub-processors under contractual confidentiality obligations. Transcripts are returned to the customer's workspace and are not retained by the speech-to-text provider beyond the processing window.

Data isolation

Interview data, transcripts and analysis outputs are logically separated between customer workspaces. No customer can access another customer's research content.

Model training

Customer data and respondent answers are never used to train foundation models, our own models, or those of our AI sub-processors. Prompts and responses are processed under zero-retention or no-training agreements.

We maintain automated backup processes for critical production data. Database backups are taken at regular intervals and stored encrypted in geographically separate locations.

Backup retention

Daily backups are retained for 30 days. Point-in-time recovery is available for the preceding 7 days, allowing granular restoration when needed.

Business continuity

Peekator maintains a business continuity plan that defines procedures for service restoration, communication with customers and data recovery in the event of a major incident. This plan is reviewed and tested annually.

Security monitoring

Our infrastructure is monitored continuously for anomalous activity, unauthorised access attempts and performance degradation. Logs are collected, encrypted and retained for security analysis and audit purposes.

Incident response

Peekator maintains a documented incident response plan that defines roles, escalation paths and communication procedures. In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay in accordance with our legal obligations.

Audit logging

Key security events — including authentication attempts, permission changes and data access by Peekator personnel — are logged and reviewed on a regular basis.

Patching and updates

Security patches for operating systems, dependencies and infrastructure are applied promptly based on severity. Critical vulnerabilities are addressed within 48 hours of disclosure.

Security testing

We conduct regular vulnerability scanning and penetration testing of our platform and infrastructure. Findings are triaged, prioritised and remediated through a structured workflow.

Code review

All production code changes are reviewed by a second engineer before deployment. Security-sensitive changes undergo additional review.

Peekator is committed to complying with applicable data protection and security regulations, including the UK GDPR, the EU GDPR and the UK Data Protection Act 2018.

Data processing

We act as a data processor for respondent data collected through our platform and as a data controller for our own customer and employee data. Data processing agreements are available for enterprise customers on request.

Sub-processors

We use a limited set of sub-processors for cloud hosting, email delivery, payment processing, analytics and AI services. All sub-processors are evaluated for security and privacy practices before engagement and governed by written data processing agreements.