PACER does not persist user data. All analyses are performed in-session: user-provided data such as response matrices, item parameters, and Q-matrices is processed transiently and is not retained after execution. No user data is stored, logged, or written to persistent storage by the application.
For organizations requiring full control over their data, PACER also offers a desktop application (Windows and macOS) built with Electron that runs entirely on the user's local machine. In desktop mode, no data leaves the device under any circumstances — the ASP.NET backend is bundled locally and operates fully offline.
The PACER web application is hosted on Microsoft Azure within the United States. The application runs on Azure App Service and benefits from Microsoft's enterprise-grade cloud infrastructure, including:
Infrastructure security, availability, and physical safeguards are managed by Microsoft as part of the Azure platform.
All communication with PACER is encrypted using HTTPS with Transport Layer Security (TLS) version 1.2 or higher. PACER enforces modern cryptographic standards, including forward secrecy (ECDHE key exchange) and authenticated encryption (AES-GCM cipher suites). This ensures that data transmitted between users and the application is protected against interception and tampering.
PACER is hosted on Microsoft Azure, which provides encryption at rest for all underlying storage using industry-standard encryption mechanisms. Because PACER does not write user data to persistent storage, this protection applies to application infrastructure and configuration data only.
Sensitive configuration values — such as service credentials — are stored securely within Azure App Service configuration settings and are not embedded in application code or exposed to end users. PACER follows secure development practices designed to minimize attack surface and reduce the risk of unauthorized access.
PACER is accessible over the public internet via HTTPS only. All traffic is encrypted and no direct access to underlying infrastructure or services is exposed. The application runs within Azure-managed environments that isolate and protect compute resources.
PACER is not currently certified under formal compliance frameworks such as SOC 2 or FedRAMP. However, it is designed to align with widely accepted security best practices:
These controls are consistent with many of the core principles underlying common security and compliance standards.
Users are responsible for ensuring that any data uploaded to PACER complies with their organization's internal data governance, privacy, and regulatory requirements. PACER's security model minimizes the platform's exposure to sensitive data but does not substitute for the user's own compliance obligations.
| Control | Status | Details |
|---|---|---|
| User data at rest | ✓ Not stored | No user data written to persistent storage. Transient in-session only. Data is discarded after execution completes. |
| Encryption in transit | ✓ Encrypted | TLS 1.2 or higher. ECDHE key exchange (forward secrecy). AES-GCM cipher suites. |
| Infrastructure at rest | ✓ Encrypted | Microsoft Azure platform encryption for all underlying storage. Industry-standard mechanisms. |
| Hosting location | ✓ US Azure | Microsoft Azure, United States. Azure App Service. Physically secure, enterprise-grade data centers. |
| Desktop / offline mode | ✓ Available | Electron desktop app (Windows and macOS). All data stays on device. No network calls. Fully air-gapped capable. |
| Credentials management | ✓ Secure | Stored in Azure App Service configuration settings. Not embedded in application code or exposed to users. |
| SOC 2 certification | ⚠ Not yet | Not currently certified. Architecture aligns with core SOC 2 Trust Service Criteria. Formal audit not yet initiated. |
| FedRAMP authorization | ⚠ Not applicable | Not applicable at current scale. Microsoft Azure's FedRAMP authorization covers the underlying infrastructure layer. |