Peveka.← Back to Site
Legal

Privacy Policy

Effective date: April 11, 2026

Overview

Peveka Solutions Inc ("Peveka," "we," "our," or "us") is committed to protecting the confidentiality of your information. This Privacy Policy describes how we handle data collected through our website (the "Site") and through our forensic intelligence platforms and bespoke AI engagements (collectively, the "Services"). Our security architecture is built on a foundational principle: your data should never be at risk. That principle governs both how we build our platforms and how we handle information you share with us through this Site. This policy should be read alongside our Acceptable Use Policy, Data Retention Policy, and related operational policies that govern how we manage and protect information across all service layers.

Information We Collect

Contact and Inquiry Data

When you submit a request through our Site, we collect the information you provide, which may include your name, organization, work email address, job title, engagement type, and a description of your project environment. This information is used solely to respond to your inquiry and facilitate an initial technical intake discussion.

Automatically Collected Data

Our Site may collect standard web server log data, including your IP address, browser type, referring URL, and pages visited. This data is used for security monitoring and to maintain the operational integrity of the Site. We do not use third-party analytics platforms or behavioral tracking tools.

Platform Session Data

When you use our forensic intelligence platforms, any project data you upload — including Oracle Primavera P6 .XER schedule files, Deltek Cobra cost reports, and associated documents — is processed exclusively in volatile memory (RAM) for the duration of your session. No platform session data is written to disk, stored on external servers, or retained in any form after your session terminates.

How We Use Your Information

We use the information you provide through our Site contact form exclusively to:
  • Respond to your inquiry and schedule a technical intake session
  • Provide information about our platforms and bespoke engagement services
  • Fulfill any contractual obligations arising from your engagement with us
  • Comply with applicable legal requirements

We do not use your contact information for unsolicited marketing communications. We do not sell, rent, or share your personal information with third parties for marketing purposes.

Platform Data and the Zero-Persistence Model

Peveka Solutions operates on a stateless, wipe-on-close security architecture for all platform services. This means:
  • All client-uploaded data is processed entirely in volatile memory (RAM)
  • No project data — including schedule structures, cost data, or work package identifiers — is ever written to disk or an external server
  • All session memory is completely deallocated and flushed upon session termination
  • No residual project data exists on Peveka infrastructure after a session ends

This architecture is not a policy preference — it is a technical constraint built into every platform we deploy. It can be independently verified through security audit and technical review as part of any enterprise engagement.

Zero-Training Guarantee

Client data — including schedule structures, work package names, cost anomalies, and all other project-specific information processed through our platforms — is never used to train, fine-tune, update, or otherwise improve any foundational AI model, including our own. This guarantee applies without exception and is available as a contractual commitment in all engagement agreements. Your competitive intelligence, project methodology, and proprietary cost structures do not contribute to any model that could benefit a competitor, a government agency, or any other party. The guarantee covers all three vectors: no retention for training purposes, no fine-tuning using client data, and no model weight updates derived from client queries or uploads.

Acceptable Use

The Peveka platform is provided for legitimate project controls, forensic analysis, and compliance purposes. The following defines permitted and prohibited use.

Authorized Uses

  • Uploading and querying proprietary project documents for forensic performance analysis
  • Running AI-assisted schedule audits, cost variance analysis, and compliance assessments
  • Accessing platform features consistent with your assigned role (Admin, Analyst, or Viewer)
  • API integrations by authorized developers using issued credentials

Prohibited Activities

Users may not engage in any of the following:

  • Unauthorized access: attempting to access another organization's data; probing for vulnerabilities without prior written permission
  • Data abuse: uploading illegal content; processing data without required consent; scraping or bulk-exporting data for competitive intelligence purposes
  • Service abuse: deliberate service overloading (DDoS); automated abuse of rate limits; cryptocurrency mining on platform infrastructure
  • Security circumvention: bypassing authentication mechanisms; tampering with audit logs; exploiting vulnerabilities without responsible disclosure
  • Malicious content: uploading malware or malicious code; submitting prompt injection attacks designed to exfiltrate data or manipulate AI outputs
  • Account sharing: sharing credentials between users; creating accounts on behalf of ineligible parties

AI-Specific Restrictions

  • Do not submit prompts designed to extract training data, model weights, or system configuration
  • Do not use AI features to generate misleading, defamatory, or harmful content
  • AI outputs are advisory — you are responsible for verifying accuracy before acting on any result in a legal, contractual, or financial context

Enforcement

Violations of this Acceptable Use Policy may result in immediate account suspension, termination of your subscription without refund, or legal action where warranted. Peveka reserves the right to monitor platform usage for policy compliance in accordance with this Privacy Policy.

Responsible disclosure: security researchers who identify vulnerabilities are encouraged to report them to security@pevekasolutions.com before public disclosure. We will acknowledge within five business days and work towards remediation.

Data Retention

We retain different categories of data for defined periods, after which data is securely deleted. Platform session data is not retained at all — it is flushed at session termination by design.
Data CategoryRetention PeriodDeletion Method
Platform session data (uploaded files, queries)Not retained — flushed at session terminationCryptographic memory flush on session close
Customer knowledge documents (enterprise deployments)Duration of subscription + 30 daysHard-delete on account deletion or automated job
Audit logs1 yearScheduled batch purge after retention window
Contact and inquiry data (website form)Until purpose fulfilled + 90 daysDeleted on written request or automated purge
User account dataDuration of subscription + 30 daysAccount deletion via identity provider management API
Server access logs90 daysAutomated log retention policy
Billing records7 yearsLegally required — non-deletable; stored by payment processor
Backup snapshots30 days rollingAutomatic bucket lifecycle policy

Customer-Initiated Deletion (Right to Erasure)

Upon written request, we will delete any personal information we hold about you, subject to any legal retention obligations. Deletion requests are fulfilled within 30 days of receipt. Deletion cascades to all associated data: knowledge documents, audit history, and account records. A deletion confirmation is sent to your registered contact email upon completion.

Data Minimisation

We collect only the data necessary to provide the service. No biometric data or special-category data under GDPR Article 9 is processed. Fields collected through the platform and website are documented in the "Information We Collect" section above.

Subprocessors & Third-Party Vendors

Peveka engages a limited set of third-party subprocessors to operate the platform. All subprocessors are required to execute a Data Processing Agreement (DPA) and maintain security standards appropriate to the sensitivity of data they handle. The current subprocessor list is maintained below.
VendorRoleData ProcessedRegionCompliance
Google Cloud Platform (GCP)Core infrastructureAll platform data (compute, storage, networking)US (multi-region)SOC 2 Type II; GCP DPA executed
Auth0 (Okta)Identity & access managementUser credentials, session tokensUSSOC 2 Type II; Auth0 DPA executed
Google Gemini APIAI inference (standard deployments)Document content — transient, not stored by Google per API termsUSGoogle Cloud DPA executed
StripeBilling & paymentsPayment method tokens (raw card data is never processed by Peveka)USPCI DSS Level 1; Stripe DPA executed

Air-Gapped & Federal Enclave Deployments

For programs requiring FedRAMP High or DOD IL4 compliance, inference routes exclusively through the client's own authorized government cloud environment (Vertex AI on GCP Government us-gov-central1, or AWS GovCloud Bedrock us-gov-west-1). In these configurations, no data transits the commercial cloud — all processing occurs within the client-controlled federal boundary. The standard subprocessor list above does not apply to enclave deployments.

Vendor Assessment & Annual Review

Before onboarding any new subprocessor that processes customer data, we complete a vendor security review, execute a DPA, and verify that data residency aligns with customer commitments. All subprocessors are reviewed annually: DPA currency is confirmed, latest SOC 2 attestations are reviewed, and any changes to vendor data handling practices are evaluated.

Vendors are contractually required to notify Peveka of any security incident involving customer data within 24 hours. Upon receiving such notification, Peveka follows its Incident Response Policy and notifies affected customers within 72 hours as required under GDPR.

Data Sharing and Disclosure

We do not sell or share your personal information with third parties except in the following limited circumstances:
  • With your explicit consent
  • To comply with a valid legal obligation, court order, or governmental request — in which case we will notify you to the extent permitted by law
  • To protect the rights, property, or safety of Peveka Solutions, our clients, or others
  • In connection with a merger, acquisition, or sale of company assets, in which case any successor entity will be bound by the terms of this Policy

Security Practices

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information we handle. The key controls governing our security posture are described below.

Access Control

  • Principle of least privilege: users are granted only the access necessary for their assigned role
  • Role-based access control (RBAC): three roles govern platform access — Admin, Analyst, and Viewer — enforced at both the application and data layers
  • Multi-factor authentication (MFA): required for all production system access and identity provider administration
  • Access revoked within 24 hours of role change or separation
  • Production database and cloud console access is restricted to named engineers and audited via cloud audit logs

Encryption Standards

LayerStandard
Data in transitTLS 1.2+ enforced on all endpoints
Data at restAES-256 (GCP Cloud SQL default encryption)
Secrets and credentialsGCP Secret Manager — never stored in source code or environment files
Authentication tokensRS256-signed JWTs via identity provider

Vulnerability Management

  • Automated dependency scanning via GitHub Dependabot and npm audit on every build
  • Static application security testing (SAST) integrated into the CI pipeline
  • Critical and high CVEs: remediated within 7 days of identification
  • Medium CVEs: remediated within 30 days
  • Annual penetration testing by a qualified third-party firm

Business Continuity

  • Platform services target recovery within 4 hours for a regional cloud outage, with a recovery point objective of under 1 hour
  • Automated daily database backups with 30-day point-in-time recovery; backups encrypted at rest
  • Application layer auto-scales across availability zones with no single point of failure
  • Business continuity procedures are tested annually including backup restore drills and failover simulations

No method of transmission over the internet or electronic storage is perfectly secure. We cannot guarantee absolute security, but we hold the protection of your data as a foundational obligation — not a secondary consideration.

Incident Response & Breach Notification

Peveka maintains a formal Incident Response Policy governing how we identify, classify, contain, and communicate security and service incidents. Our procedures are calibrated to meet GDPR 72-hour breach notification obligations.

Incident Classification

SeverityDefinitionInitial ResponseContainment Target
P1 — CriticalConfirmed data breach, total service outage, active exploitation1 hour4 hours
P2 — HighPartial service disruption, suspected breach, privilege escalation4 hours24 hours
P3 — MediumDegraded performance, failed security control24 hours72 hours
P4 — LowIsolated anomaly, informational alert5 business days30 days

Response Process

  • Detection & Triage: continuous monitoring alerts page the on-call engineer; P1 incidents are acknowledged within 15 minutes
  • Containment: affected systems are isolated (API keys revoked, accounts disabled, firewall rules applied); forensic evidence is preserved before remediation begins
  • Eradication & Recovery: root cause is identified; patch or configuration fix is deployed; service is restored and validated
  • Post-Incident Review: completed within 5 business days; timeline documented; action items tracked; policy and runbook updates applied

Customer & Regulatory Notification

  • Data breaches involving customer PII: affected customers are notified within 72 hours of confirmed breach per GDPR Articles 33 and 34
  • Notification content includes: nature of the breach, categories of data affected, likely consequences, and measures taken or proposed
  • Where a breach is likely to result in a risk to individuals, the relevant GDPR supervisory authority is notified within 72 hours
  • Enterprise clients may request post-incident reports as part of their engagement agreement

Your Rights

Depending on your jurisdiction, you may have rights regarding the personal information we hold about you, including the right to:
  • Access a copy of the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Object to or restrict our processing of your information
  • Withdraw consent where processing is based on consent
  • Data portability — receive your data in a structured, machine-readable format

To exercise any of these rights, please contact us at privacy@pevekasolutions.com. We will respond within 30 days. For complex requests, this period may be extended by up to two additional months, in which case we will notify you of the extension and the reason.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform capabilities. When we do, we will revise the effective date at the top of this page. For material changes, we will notify active customers by email or via a platform notice prior to the change taking effect. Continued use of our Site following the posting of changes constitutes your acceptance of those changes.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact: Peveka Solutions Inc privacy@pevekasolutions.com For security vulnerability reports or responsible disclosure, contact security@pevekasolutions.com. We acknowledge reports within five business days. For enterprise security reviews, compliance documentation requests, or NDA execution prior to a technical intake, use our Site contact form and select "General Inquiry."

© 2026 Peveka Solutions Inc. All rights reserved.