Skip to main content

Security

Last updated: April 10, 2026

Perfbase processes performance profiling data from your PHP applications. This page describes how we protect that data.

What we collect (and what we don't)

The Perfbase extension collects structural performance data: which functions were called, how long they took, how much memory they used, and what database queries they executed.

It does not capture:

  • Database row contents or query parameter values. SQL queries are normalized, and literal values are replaced with placeholders before leaving your server.
  • HTTP request or response bodies.
  • Passwords, API keys, tokens, or credentials.
  • Session data, cookies, or environment variables.

Encryption

  • In transit: All connections use TLS. The ingestion endpoint accepts HTTPS only.
  • At rest: Profiling data and database volumes are encrypted with AES-256.
  • Backups: Database backups are encrypted and stored separately from production data.

Authentication

  • Email and password (bcrypt-hashed).
  • GitHub OAuth.
  • SSO/OIDC, available on all plans.
  • Two-factor authentication (TOTP) with backup codes.

Access control

  • Role-based access: owner, admin, and member.
  • API keys are scoped to a specific organization and project. They can be revoked instantly.
  • Every API request is authorized through an organization and project scoping chain. There are no global keys.

Data retention

Profiling data is automatically and permanently deleted after your plan's retention period (1 to 90 days depending on plan). Each trace has an expiry timestamp set at ingestion, and deletion is enforced by a background process, not a manual step.

Account deletion removes all associated data immediately and irreversibly.

Infrastructure

  • Hosted on dedicated infrastructure with automatic scaling and high-availability databases.
  • Network-level isolation between services.
  • Continuous monitoring and alerting.
  • Automated, encrypted backups with point-in-time recovery.

Compliance

  • GDPR: Data minimization by design. Export and deletion available via account settings and API. Breach notification within 72 hours. See our Privacy Policy for details.
  • Data residency: Trace data can be stored by regional group: Europe: France, Germany, London, Poland; APAC: India, Singapore, Sydney; America: Toronto.
  • Audit logging: All security-relevant actions (logins, member changes, API key operations, billing events) are recorded with actor, timestamp, and IP address.

Reporting vulnerabilities

If you discover a security vulnerability, please report it to [email protected]. We acknowledge reports within 24 hours and will work with you to resolve the issue before any public disclosure. We do not pursue legal action against good-faith security research.