Security

How PersonaMesh secures your data

Last updated 2026-04

Reporting a vulnerability

Email security@personamesh.ai. We acknowledge receipt within one business day and triage within three. Public disclosure follows our 90-day window unless we have a fix sooner; coordinated disclosure is welcome. A formal bug bounty launches with public beta.

Identity & access

  • API keys are SHA-256 hashed at rest; revocable; per-tenant rate limits cap blast radius.
  • Sessions are HMAC-signed HttpOnly cookies (Secure when behind TLS); 7-day TTL.
  • OIDC SSO via discovery + PKCE; SCIM and SAML are on the roadmap.
  • RBAC with five roles: owner, admin, developer, operator, viewer.
  • Default-workspace mode is disabled in production builds.

Cryptography

  • TLS 1.3 in transit; AES-256 at rest.
  • KMS-backed envelope encryption available via a pluggable provider (local AES-GCM, AWS KMS, Vault Transit, HSM via PKCS#11).
  • License JWTs verified at startup with a 14-day grace window.

Network & tools

  • Default-deny NetworkPolicy in the Helm chart.
  • Tool egress is allowlisted per tool; private IP ranges are blocked unless explicitly enabled.
  • Per-IP flood guard in front of every endpoint.
  • Per-tenant token-bucket rate limiter.

Data

  • Hash-chained audit log; /v1/audit/verify walks the chain and breaks loud if anything was tampered with.
  • PII redaction on memory write; per-record retention.
  • GDPR forget API; per-record delete and bulk redaction.

Build & supply chain

  • Pinned dependencies, lockfile committed, Renovate / Dependabot suggested.
  • Cosign keyless signing on every published image.
  • CycloneDX SBOM attested with cosign on every release.
  • SLSA build provenance enabled in CI.
  • Containers run as a non-root user (uid 10001), read-only root filesystem, dropped capabilities.

Compliance roadmap

  • SOC 2 Type I — architectural readiness in place; audit firm engagement is the next external step.
  • SOC 2 Type II — 12-month observation window after Type I.
  • HIPAA — BAA-able once BYOK with HSM lands.
  • GDPR — DPA template available; DPIA template in progress.
  • EU AI Act — risk classification document in progress; the audit + safety hooks the regulation requires are already in place.
  • FedRAMP Moderate — separate GovCloud tenancy; out of scope for v1.

For our threat model, full controls inventory, and disclosure timeline, visit the Trust center.