Security
How PersonaMesh secures your data
Last updated 2026-04
Reporting a vulnerability
Email security@personamesh.ai. We acknowledge receipt within one business day and triage within three. Public disclosure follows our 90-day window unless we have a fix sooner; coordinated disclosure is welcome. A formal bug bounty launches with public beta.
Identity & access
- API keys are SHA-256 hashed at rest; revocable; per-tenant rate limits cap blast radius.
- Sessions are HMAC-signed HttpOnly cookies (Secure when behind TLS); 7-day TTL.
- OIDC SSO via discovery + PKCE; SCIM and SAML are on the roadmap.
- RBAC with five roles: owner, admin, developer, operator, viewer.
- Default-workspace mode is disabled in production builds.
Cryptography
- TLS 1.3 in transit; AES-256 at rest.
- KMS-backed envelope encryption available via a pluggable provider (local AES-GCM, AWS KMS, Vault Transit, HSM via PKCS#11).
- License JWTs verified at startup with a 14-day grace window.
Network & tools
- Default-deny NetworkPolicy in the Helm chart.
- Tool egress is allowlisted per tool; private IP ranges are blocked unless explicitly enabled.
- Per-IP flood guard in front of every endpoint.
- Per-tenant token-bucket rate limiter.
Data
- Hash-chained audit log;
/v1/audit/verifywalks the chain and breaks loud if anything was tampered with. - PII redaction on memory write; per-record retention.
- GDPR forget API; per-record delete and bulk redaction.
Build & supply chain
- Pinned dependencies, lockfile committed, Renovate / Dependabot suggested.
- Cosign keyless signing on every published image.
- CycloneDX SBOM attested with cosign on every release.
- SLSA build provenance enabled in CI.
- Containers run as a non-root user (uid 10001), read-only root filesystem, dropped capabilities.
Compliance roadmap
- SOC 2 Type I — architectural readiness in place; audit firm engagement is the next external step.
- SOC 2 Type II — 12-month observation window after Type I.
- HIPAA — BAA-able once BYOK with HSM lands.
- GDPR — DPA template available; DPIA template in progress.
- EU AI Act — risk classification document in progress; the audit + safety hooks the regulation requires are already in place.
- FedRAMP Moderate — separate GovCloud tenancy; out of scope for v1.
For our threat model, full controls inventory, and disclosure timeline, visit the Trust center.