Security Measures

Last updated March 2026 · Appendix C to the Data Processing Agreement


1

Overview


This document describes the technical and organisational security measures implemented by Photosynth AI Limited (trading as Perry AI) to protect Personal Data and ensure the ongoing confidentiality, integrity, and availability of its products and services. Further details on any specific measure are available upon request at [email protected].

Perry AI reserves the right to update these measures at any time, provided that any such updates do not materially reduce or weaken the protection provided for Personal Data.


2

Platform overview


The Perry AI platform is an AI-powered legal services workspace for private capital funds. It is delivered as a cloud service accessible via a web interface and API. Subscriber data is stored in MongoDB Atlas (Ireland, EU West region). The platform enables legal workflows including document processing, agentic task execution, contract review, and AI-assisted legal intelligence on the Subscriber's own documents and data.


3

Sub-processors


Perry AI engages carefully vetted sub-processors for specific purposes. For a full list, please see the Pre-approved Sub-processors page.


4

Information security management


Perry AI operates in accordance with the principles of ISO/IEC 27001:2022 and is working towards formal certification under that standard. The ISO/IEC 27001 framework provides guidelines for planning, implementing, maintaining, and improving information security across Perry AI's organisation and products.


5

Access control


Measures to prevent unauthorised access to IT systems and Personal Data:

  • Perry AI applies the principle of least privilege and role-based access controls — employees are only authorised to access data necessary for their specific responsibilities.

  • Multi-factor authentication (MFA) is required for all access to systems containing Personal Data, including the production environment.

  • Access rights are reviewed at least annually and revoked immediately upon change of role or termination of employment.

  • Perry AI supports single sign-on (SSO) via SAML 2.0 for enterprise customers.


6

Physical security


Subscriber data is stored on MongoDB Atlas, hosted in Ireland (EU West region). MongoDB Atlas data centres provide industry-leading physical security including 24×7×365 surveillance, biometric access controls, and redundant power, networking, and cooling. All data centres meet or exceed ISO 27001 physical security requirements. Perry AI does not operate its own data centres.


7

Encryption


  • All Subscriber data at rest is encrypted using AES-256 or equivalent strength algorithms.

  • All data in transit is encrypted using TLS 1.2 or higher.

  • Bring Your Own Key (BYOK) encryption is available for enterprise customers who require additional control over their encryption keys.


8

Data separation and isolation


  • Subscriber environments are logically separated at all times. No Subscriber can access data belonging to another Subscriber.

  • Development, testing, staging, and production environments are strictly separated to prevent unintentional co-mingling of data.

  • Separate data processing systems are used for different purposes, and all systems require valid authorisation to access.


9

Vulnerability management and penetration testing


  • Perry AI conducts third-party penetration tests at least annually and following material changes to the platform.

  • Automated vulnerability scanning is performed on a continuous basis across all production infrastructure.

  • Critical vulnerabilities are patched on an expedited basis. All patches are applied in accordance with a risk-based patch management process.


10

Audit logging and monitoring


  • Systems are monitored continuously for security events to enable rapid detection and resolution.

  • Security logs are centrally stored and indexed, and retained for at least 12 months.

  • All log entries are traceable to individual users with timestamps, enabling investigation of security events or nonconformities.


11

Backup and business continuity


  • Regular automated backups are performed and verified to ensure integrity and availability of Subscriber data. Incremental and point-in-time recovery is available for primary databases.

  • Backups are encrypted in transit and at rest.

  • Perry AI maintains a business continuity plan that is tested at regular intervals. In the event of a serious incident, documented processes and procedures are followed to restore services as quickly as possible.


12

Supplier management


Perry AI conducts security due diligence on all sub-processors and key suppliers prior to engagement. Contracts with suppliers address information security requirements. Perry AI reviews suppliers' compliance and access rights on a regular basis and holds suppliers to obligations that are at least equivalent to those applied within Perry AI's own environment.


13

Personnel security


  • All Perry AI personnel are required to comply with the company's information security and confidentiality policies. Appropriate background checks are conducted to the extent permitted by applicable law.

  • All personnel sign confidentiality agreements and receive security and data protection training on joining, with periodic refresher training.

  • Access credentials are revoked promptly upon termination of employment or change of role.

  • Perry AI personnel will not access customer data without authorisation.


14

Risk management


  • Perry AI conducts periodic risk assessments to identify, evaluate, and treat information security risks.

  • Information security conditions and compliance are reported to senior management on a regular basis.

  • Perry AI maintains security incident response procedures to ensure prompt and effective response to any security incident or Personal Data breach.


15

No training on Subscriber data


Perry AI will not use Subscriber Content or Personal Data to train, fine-tune, or improve any AI model — its own or those of its sub-processors — without the Subscriber's prior written consent. This applies to all AI model inference performed by sub-processors on the platform's behalf.


16

Data retention


During the term of the DPA, Personal Data processed by Perry AI is subject to the retention requirements instructed by the Subscriber from time to time. Following termination or expiry of the DPA, clause 11 of the DPA applies. Unless otherwise agreed or required by law, Subscriber data is deleted within 90 days of the Agreement ending.