Security Center | PeakShift

Encryption at Rest

All databases and storage volumes are encrypted using AES-256 standards. Your keys are managed via AWS KMS.

SOC 2 Ready Design

Our infrastructure is built on SOC 2 compliant AWS services, designed from day one for strict security controls.

Data Residency

All Canadian user data is stored exclusively in AWS Canada (ca-central-1) region.

Our Security Architecture

PeakShift is built on a "Zero Trust" architecture. This means we assume no user or device is trustworthy by default, even if they are inside our network perimeter.

Compliance & Standards

Green Button Connect My Data (CMD): We are a fully certified Data Custodian, adhering to the rigorous technical standards set by the Green Button Alliance (GBA) and Ontario Energy Board (OEB).
PIPEDA: Our privacy practices are designed to meet or exceed the Personal Information Protection and Electronic Documents Act.

API & Integration Security

For developers and partners integrating with the PeakShift Platform:

API Key Hashing: We never store your raw API keys. They are hashed using SHA-256 before storage, meaning even we cannot see your original key.
Webhook Integrity: All webhook events are signed with an HMAC-SHA256 signature (`X-PeakShift-Signature`) so you can verify the event truly originated from us.
Rate Limiting: Our API implements strict rate limiting to prevent abuse and ensure stability for all tenants.

Vulnerability Reporting

Found a vulnerability?

We take security reports seriously. If you believe you've found a security issue in our platform, please report it to our security team immediately.

Report Vulnerability

Employee Access

Access to customer data is tightly restricted. By default, no employee has access to your raw energy usage data. Access is granted only:

For specific customer support requests you initiate.
To authorized administrative personnel for debugging critical issues.
Via time-limited, logged sessions.

Our Security Architecture

PeakShift is built on a "Zero Trust" architecture. This means we assume no user or device is trustworthy by default, even if they are inside our network perimeter.

Compliance & Standards

Green Button Connect My Data (CMD): We are a fully certified Data Custodian, adhering to the rigorous technical standards set by the Green Button Alliance (GBA) and Ontario Energy Board (OEB).

PIPEDA: Our privacy practices are designed to meet or exceed the Personal Information Protection and Electronic Documents Act.

API & Integration Security

For developers and partners integrating with the PeakShift Platform:

API Key Hashing: We never store your raw API keys. They are hashed using SHA-256 before storage, meaning even we cannot see your original key.

Webhook Integrity: All webhook events are signed with an HMAC-SHA256 signature (`X-PeakShift-Signature`) so you can verify the event truly originated from us.

Rate Limiting: Our API implements strict rate limiting to prevent abuse and ensure stability for all tenants.

Vulnerability Reporting

Found a vulnerability?

We take security reports seriously. If you believe you've found a security issue in our platform, please report it to our security team immediately.

Report Vulnerability

Employee Access

Access to customer data is tightly restricted. By default, no employee has access to your raw energy usage data. Access is granted only:

For specific customer support requests you initiate.

To authorized administrative personnel for debugging critical issues.

Via time-limited, logged sessions.