Trust Center
Data Protection
Encryption, backups, and privacy practices
Protecting your well data and production information is fundamental to how we operate PetroBench.
Encryption
All customer data is encrypted both in transit and at rest:
| State | Method |
|---|---|
| In Transit | TLS 1.2+ encryption on all connections |
| At Rest | AES-256 encryption via AWS managed keys |
| Backups | AES-256 encryption, same standard as primary data |
| Database | Encrypted at the storage layer using AWS RDS encryption |
Data Isolation
Customer data is logically isolated between organizations:
- Each organization's data is segregated at the database level
- Access controls prevent cross-organization data access
- API authentication ensures requests only access authorized data
- Tenant isolation is enforced at the application and database layers
Backups
| Aspect | Details |
|---|---|
| Frequency | Daily automated backups |
| Type | Full snapshots with point-in-time recovery capability |
| Retention | 30 days |
| RPO | 24 hours (maximum data loss in a disaster scenario) |
| RTO | 4 hours (target time to restore service) |
| Encryption | AES-256 |
| Testing | Backup restoration tested quarterly |
| Storage | Backups stored in a separate AWS region from primary data |
Data Retention
| Scenario | Retention |
|---|---|
| Active account | Data retained for the duration of the service agreement |
| Account termination | Data deleted within 30 days of termination |
| Customer-requested deletion | Processed within 30 days of written request |
| Backups after deletion | Purged from backup rotation within 30 days |
| Audit logs | Retained for 1 year |
Customers may request data export at any time before account termination.
Data Residency
All customer data is stored and processed in the United States:
| Component | Location |
|---|---|
| Application servers | AWS US East (Virginia) |
| Databases | AWS US East (Virginia) |
| Backups | AWS US region (separate from primary) |
| CDN Edge Cache | Cloudflare global edge (static assets only, no customer data) |
No customer well data, simulation results, or account information is transferred outside the United States.
Privacy
What We Collect
PetroBench collects data necessary to provide the service:
- Well Data: Information you enter about wells, equipment, and configurations
- Simulation Data: Inputs, parameters, and results from RodSim simulations
- Account Information: User profiles, authentication credentials, organization details
- Usage Data: Platform interaction data for improving the service (anonymized)
How We Use Your Data
- Your well data and simulation results are used solely to provide PetroBench services
- We do not sell, share, or monetize customer data
- We do not use customer data to train machine learning models
- Usage analytics help us improve platform performance and features
Your Rights
- Export: Request a full copy of your data at any time (delivered within 30 days)
- Deletion: Request deletion of your data (completed within 30 days)
- Correction: Update or correct your information through the platform
- Portability: Data exports provided in standard formats (CSV, JSON)
- Access: Request details on what data we hold about you
For privacy inquiries, contact legal@petrobench.com.
Data Processing Agreement
Enterprise customers can request a Data Processing Agreement (DPA) that covers:
- Scope and purpose of data processing
- Data subject rights and obligations
- Subprocessor management and notification
- Data breach notification procedures
- Data deletion and return upon termination
- Audit rights
To request a DPA, contact legal@petrobench.com.