PersonaStackPersonaStack.ai
HomeLegal CenterSecurityPricingLoginSign Up
HomeLegal CenterSecurityPricingLoginSign Up

Security

Current security posture and responsible vulnerability reporting.

Scope. This page describes current engineering practices without promising that every incident can be prevented or claiming an audit or certification PersonaStack has not earned.

Current controls

  • User-specific authentication and tenant authorization protect account and product boundaries.
  • Opaque browser sessions, OAuth state, and challenge checks reduce credential and callback exposure.
  • Integration and AI-provider secrets use dedicated secret-handling paths and are excluded from public catalog clones.
  • Production changes use reviewed source, immutable release artifacts, health checks, and monitored service boundaries.
  • Operational logs, bounded audit records, backups, and incident processes support detection, investigation, and recovery.
  • Encrypted transport and storage controls depend on the service and infrastructure path. PersonaStack does not promise one protocol or algorithm across every user-controlled provider, cluster, Connector, or recipient.

Shared responsibility

Users must protect account credentials, apply least-privilege integration scopes, secure customer-controlled clusters and Connectors, review Agent tool access, and revoke compromised credentials promptly. Third-party AI providers and integrations control their own systems and security practices.

Report a vulnerability

Use the contact page. Put Security report in the subject. Include the affected route or component, impact, safe reproduction steps, and a way to contact you. Do not include private keys, passwords, full access tokens, or personal data beyond what is needed to explain the issue.

Safe research

  • Use accounts and data you own or have explicit permission to test.
  • Do not access, change, retain, or delete another person's data.
  • Do not use denial of service, social engineering, destructive payloads, or broad automated scanning.
  • Stop and report if testing exposes secrets, personal data, or a path to material harm.
  • Give PersonaStack a reasonable opportunity to investigate before public disclosure.

PersonaStack intends to work in good faith with researchers who follow these rules. This page does not create a binding safe-harbor commitment or response service-level commitment.

Legal and privacy resources

See the Legal Center, Privacy Policy, and content reporting process.