Data Handling
What Percus stores
Percus stores the following data on its infrastructure:
| Data | Where | Notes |
|---|---|---|
| User accounts | Identity Service (PostgreSQL) | Email, name, role assignments — provided at login via Google OAuth |
| Organization metadata | Identity Service | Name, settings |
| Projects and templates | Campaign Service (PostgreSQL) | Project names, descriptions, template files (Lottie JSON, manifests, video files) |
| Template assets | S3 | Animation files, images, video — encrypted at rest |
| API credentials | Campaign Service | API key stored in plaintext; API secret stored as a one-way hash |
| Audit events | Campaign Service | Who performed what action and when |
Percus does not store customer PII — the end-customer data used to personalize each video (names, balances, account numbers, etc.) is never transmitted to or persisted by Percus servers.
How personalization data is handled
The Percus rendering architecture is designed so that PII stays in the browser.
Client system Percus infrastructure
───────────────────────────────────── ────────────────────────────────────
Host page (customer website) Campaign Service
└── percus-embed-sdk └── Template files (S3)
└── postMessage PERCUS/INIT └── served to iframe
└── data: { name, balance }
↑
Stays in memory only.
Never sent to Percus.
↓
<iframe> (Percus Player)
└── BindingEngine.applyBindings()
└── PII merged into template JSON
└── Rendered in the browser
└── PII discarded after render
Key properties of this model:
- Personalization data is passed directly from the host page to the player iframe via
postMessage. - The Percus Player holds the data in memory only for the duration of the binding phase.
- The data is never written to
localStorage,sessionStorage, logs, or any network request. - Error messages emitted by the player are sanitized to ensure no data values appear in
PERCUS/ERRORpayloads. - Once binding is complete and the animation is rendered, the data object is no longer referenced.
This means a Percus infrastructure breach does not expose end-customer personalization data, because that data was never there.
Template files
Template files (Lottie JSON, manifests, video files) uploaded by motion designers are stored in S3 with server-side encryption. They contain animation structure and binding definitions — not customer data.
API secrets
When an API credential is created, the secret is returned once and is not stored in recoverable form. Percus stores only a one-way hash. If a secret is lost, it must be rotated — it cannot be retrieved.
Data residency
Percus infrastructure runs on AWS. The specific AWS region is determined at deployment time by the Percus team and communicated to clients during onboarding.