Security
Current security posture and responsible vulnerability reporting.
Current controls
- User-specific authentication and tenant authorization protect account and product boundaries.
- Opaque browser sessions, OAuth state, and challenge checks reduce credential and callback exposure.
- Integration and AI-provider secrets use dedicated secret-handling paths and are excluded from public catalog clones.
- Production changes use reviewed source, immutable release artifacts, health checks, and monitored service boundaries.
- Operational logs, bounded audit records, backups, and incident processes support detection, investigation, and recovery.
- Encrypted transport and storage controls depend on the service and infrastructure path. PersonaStack does not promise one protocol or algorithm across every user-controlled provider, cluster, Connector, or recipient.
Shared responsibility
Users must protect account credentials, apply least-privilege integration scopes, secure customer-controlled clusters and Connectors, review Agent tool access, and revoke compromised credentials promptly. Third-party AI providers and integrations control their own systems and security practices.
Report a vulnerability
Use the contact page. Put Security report in the subject. Include the affected route or component, impact, safe reproduction steps, and a way to contact you. Do not include private keys, passwords, full access tokens, or personal data beyond what is needed to explain the issue.
Safe research
- Use accounts and data you own or have explicit permission to test.
- Do not access, change, retain, or delete another person's data.
- Do not use denial of service, social engineering, destructive payloads, or broad automated scanning.
- Stop and report if testing exposes secrets, personal data, or a path to material harm.
- Give PersonaStack a reasonable opportunity to investigate before public disclosure.
PersonaStack intends to work in good faith with researchers who follow these rules. This page does not create a binding safe-harbor commitment or response service-level commitment.
Legal and privacy resources
See the Legal Center, Privacy Policy, and content reporting process.