How Peony handles encryption, hosting, access control, audit logs, backups, and incident response. For formal compliance status (SOC 2, GDPR), see Compliance and Certifications.

Encryption

At rest: AES-256 for all files, metadata, and database contents.
In transit: TLS 1.2 or higher. Older versions rejected at the edge.
Passwords and tokens: no plaintext passwords stored. Authentication is OTP-based; SSO tokens are hashed with bcrypt and salted.
Backups: same AES-256 encryption as primary storage.

Hosting

AWS, US region.

Files stay on Peony's infrastructure. Viewers read documents in-browser from Peony's servers. Files are never sent to recipients unless you explicitly enable downloads on a link.
Minimized third-party processing. Core file storage, rendering, and access control all run on Peony's infrastructure.
AI uses vetted LLM providers. Auto-indexing, Q&A, and extraction call enterprise-tier LLM APIs under data-handling agreements that prohibit training on customer content.

EU-region hosting: see Compliance and Certifications.

Access Control

Authentication. Admins sign in with email OTP, phone OTP, or Google SSO. No password fallback. See Can't Sign In: OTP Not Arriving.
2FA. OTP-first sign-in is already a second-factor challenge. TOTP-based 2FA is on the roadmap.
SSO. Google Workspace SSO on all paid plans. SAML/Okta/Azure AD on Enterprise.
Sessions. Admin sessions time out after inactivity. Each session is tied to a device fingerprint and can be revoked from Settings.
Per-link controls. Email verification, NDA signing, IP allowlist, device-type gating, link expiry. See NDA Gates and Dynamic Watermarks.
Internal access. Production data access limited to a small on-call rotation. All access logged.

Audit Logs

Every viewer session logs:

Timestamp (start/end)
Viewer email (if email verification is on)
IP address
Device and browser fingerprint
Pages opened, order, duration
Download events (if allowed)
NDA acceptance events
E-signature events

Session logs are in each room's Analytics tab and exportable as CSV. Admin-side audit logs (link, permission, NDA, team changes) are on Business tier and above.

Logs are retained for the life of the data room, then purged with the room after the soft-delete window.

Data Retention and Deletion

Retained until you delete. No automatic purge based on age.
30-day soft-delete. After deletion, data rooms enter a grace period and can be restored on request.
After soft-delete: data purged from primary storage. Backups age out on the normal retention schedule.

GDPR / CCPA deletion requests: deqian@peony.ink.

Backup and Disaster Recovery

Cadence: automated snapshots every 4 hours.
Retention: 30 days rolling.
Restore scope: individual rooms, folders, or files — email support with the workspace name and item to restore.

Accidentally deleted something? Email sean@peony.ink or deqian@peony.ink with the workspace name and the item name. See Contact Support.

Incident Response

Triage. Production systems monitored for anomalies. Confirmed incidents triaged within business hours.
Notification. Incidents affecting customer data disclosed to affected customers within 72 hours of confirmation (GDPR Article 33).
Post-incident reports. Available for Enterprise customers on request.
Bug disclosures. Peony discloses product bugs directly to affected customers in plain English. Transparency over obfuscation.