How we protect your data
Performance West handles sensitive regulatory and provider information. Security is built into how we operate — from the infrastructure up to every filing.
Independently verified
HIPAA · PCI · NIST compliant TLS
Encryption posture independently scanned and confirmed compliant with HIPAA, PCI DSS, and NIST guidance.
SOC 2 Type II hosting
Our systems run in a SOC 2 Type II compliant data center with physical and operational controls.
PCI-compliant payments (Stripe)
We never store card data. All payments are processed by Stripe (PCI DSS Level 1).
Email authentication
SPF, DKIM, DMARC, and MTA-STS protect against spoofing of our domain.
Our security practices
Encryption everywhere. All traffic to our website, client portal, and APIs is encrypted in transit with TLS 1.2/1.3. Sensitive data is encrypted at rest.
Least-data principle. We collect only the information needed to complete your filing, and we don’t sell your data. For payments we never touch card numbers — Stripe handles them directly.
Hardened infrastructure. Our servers sit behind a default-deny firewall with only the necessary public services exposed, automatic security updates, intrusion monitoring, and isolated environments for each workload.
Access control. Administrative access is key-based and restricted; we follow least-privilege and review access regularly.
Healthcare data. For provider clients, we handle CMS/NPPES information with care and only as needed to prepare and submit your filings. We do not post your private details publicly, and we delete working copies of sensitive documents when an engagement is complete.
Report a security issue
We welcome responsible disclosure. If you believe you’ve found a vulnerability, please email security@performancewest.net or call (888) 411-0383. Our machine-readable policy is published at /.well-known/security.txt.
Note: Performance West provides compliance consulting services, not legal advice. See our Privacy Policy and Terms of Service.