PACER does not persist user data. All analyses are performed in-session: user-provided data such as response matrices, item parameters, and Q-matrices is processed transiently and is not retained after execution. No user data is stored, logged, or written to persistent storage by the application.
For organizations requiring full control over their data, PACER also offers a desktop application (Windows and macOS) built with Electron that runs entirely on the user's local machine. In desktop mode, no data leaves the device under any circumstances — the ASP.NET backend is bundled locally and operates fully offline.
The PACER web application is hosted on Microsoft Azure within the United States. The application runs on Azure App Service and benefits from Microsoft's enterprise-grade cloud infrastructure, including:
Infrastructure security, availability, and physical safeguards are managed by Microsoft as part of the Azure platform.
All communication with PACER is encrypted using HTTPS with Transport Layer Security (TLS) version 1.2 or higher. PACER enforces modern cryptographic standards, including forward secrecy (ECDHE key exchange) and authenticated encryption (AES-GCM cipher suites). This ensures that data transmitted between users and the application is protected against interception and tampering.
PACER is hosted on Microsoft Azure, which provides encryption at rest for all underlying storage using industry-standard encryption mechanisms. Because PACER does not write user data to persistent storage, this protection applies to application infrastructure and configuration data only.
Sensitive configuration values — such as service credentials — are stored securely within Azure App Service configuration settings and are not embedded in application code or exposed to end users. PACER follows secure development practices designed to minimize attack surface and reduce the risk of unauthorized access.
PACER is accessible over the public internet via HTTPS only. All traffic is encrypted and no direct access to underlying infrastructure or services is exposed. The application runs within Azure-managed environments that isolate and protect compute resources.
Major versions of PACER are supported for 12 months from their release date. During the support window, security patches and critical bug fixes are provided at no additional cost. After a version reaches end-of-life, no further security patches will be issued for that version. Users are encouraged to upgrade to a current supported version.
Release dates and version history are published in the PACER Changelog. Advance notice of at least 90 days is provided before any version reaches end-of-life.
PACER monitors for security vulnerabilities in its dependencies and application code through the following channels:
When a vulnerability is confirmed, a patch is developed, tested, and released according to the patching SLA below. Customers are notified of security-relevant releases via the changelog. To report a suspected vulnerability directly, contact the developer via paceronline.com.
PACER commits to the following response timeframes for confirmed vulnerabilities, measured from the date of confirmed identification. Severity is rated using the CVSS (Common Vulnerability Scoring System) — an industry-standard 0–10 scale published by NIST.
| Severity | CVSS Score | Patch Commitment |
|---|---|---|
| Critical | 9.0 – 10.0 | Patched and released within 30 days |
| High | 7.0 – 8.9 | Patched and released within 60 days |
| Medium | 4.0 – 6.9 | Addressed in next planned release |
| Low | 0.1 – 3.9 | Addressed in next planned release |
Before each release, PACER undergoes dynamic security testing against the running application using OWASP ZAP (Zed Attack Proxy), a free and open-source tool maintained by the Open Worldwide Application Security Project. Testing covers the application's HTTP API surface and focuses on the OWASP Top 10, including injection vulnerabilities, broken authentication, sensitive data exposure, and security misconfiguration.
Findings from each scan are reviewed and addressed prior to release in accordance with the patching SLA above.
PACER is not currently certified under formal compliance frameworks such as SOC 2 or FedRAMP. However, it is designed to align with widely accepted security best practices:
These controls are consistent with many of the core principles underlying common security and compliance standards.
Users are responsible for ensuring that any data uploaded to PACER complies with their organization's internal data governance, privacy, and regulatory requirements. PACER's security model minimizes the platform's exposure to sensitive data but does not substitute for the user's own compliance obligations.
| Control | Status | Details |
|---|---|---|
| User data at rest | ✓ Not stored | No user data written to persistent storage. Transient in-session only. Data is discarded after execution completes. |
| Encryption in transit | ✓ Encrypted | TLS 1.2 or higher. ECDHE key exchange (forward secrecy). AES-GCM cipher suites. |
| Infrastructure at rest | ✓ Encrypted | Microsoft Azure platform encryption for all underlying storage. Industry-standard mechanisms. |
| Hosting location | ✓ US Azure | Microsoft Azure, United States. Azure App Service. Physically secure, enterprise-grade data centers. |
| Desktop / offline mode | ✓ Available | Electron desktop app (Windows and macOS). All data stays on device. No network calls. Fully air-gapped capable. |
| Credentials management | ✓ Secure | Stored in Azure App Service configuration settings. Not embedded in application code or exposed to users. |
| EOL support policy | ✓ Published | Major versions supported 12 months from release. 90-day advance notice before EOL. See EOL Policy section above. |
| Vulnerability management | ✓ Documented | GitHub Dependabot + NVD monitoring. SAST on every build. Direct contact channel for responsible disclosure. |
| Patching SLA | ✓ Committed | Critical (CVSS ≥ 9.0): 30 days. High (CVSS 7.0–8.9): 60 days. Medium/Low: next planned release. |
| Dynamic security testing (DAST) | ✓ Performed | OWASP ZAP baseline scanning performed against the running application before each release. Covers OWASP Top 10 API surface. |
| SOC 2 certification | ⚠ Not yet | Not currently certified. Architecture aligns with core SOC 2 Trust Service Criteria. Formal audit not yet initiated. |
| FedRAMP authorization | ⚠ Not applicable | Not applicable at current scale. Microsoft Azure's FedRAMP authorization covers the underlying infrastructure layer. |