At Perses team, we are not security experts, but we care about security and want to do our best to keep our users safe.

The Perses application is able to store and manage secrets to handle the data-source connections. Any secret stored are encrypted at rest and decrypted in memory when needed. The encryption key should be generated by the user and provided to the application at startup.

Excepting the secrets, the application does not store any sensitive data. Metrics and logs created by the application are not considered as sensitive, and it should not contain any of it.

The application does not collect any personal data.

By default, the application is not secured and does not require any authentication. However, it is possible to enable authentication and authorization through the configuration. Read the documentation for more details: https://perses.dev/perses/docs/configuration/configuration/.

Perses is also supporting TLS encryption for the communication between the client and the server. It is possible to enable it through the configuration.

If you have found a security vulnerability in our software, please report it to us by sending an email to perses-team@googlegroups.com

Special note for security scanner users: Please be mindful with the reports produced. Most scanners are generic and produce lots of false positives. More and more reports are being sent to us, and it takes a significant amount of work to go through all of them and reply with the care you expect. This problem is particularly bad with Go and NPM dependency scanners.

As a courtesy to us and our time, we would ask you not to submit raw reports. Instead, please submit them with an analysis outlining which specific results are applicable to us and why.