Legal
Security Overview
How we protect the data you and your respondents trust us with.
Last updated:
Transport security
All API and web traffic is served over TLS 1.2+. HSTS is enforced on the production domain. Certificates are rotated automatically via Let's Encrypt.
Data at rest
Postgres uses managed-instance disk encryption. Reports in S3 are encrypted with SSE-S3 by default; SSE-KMS with a tenant-scoped key is on the roadmap. Admin AI-provider settings are encrypted at the application layer with AES-GCM (256-bit).
Access control
API access requires an API key (prefix-pinned, hashed at rest, revocable) or a JWT minted from the same key. Admin endpoints require role=admin. We follow least-privilege internally; production access is logged.
Vulnerability disclosure
Please report any vulnerability to security@psyforge.dev with details we can reproduce. We will acknowledge within 72 hours and aim to remediate critical issues within 7 days. We do not currently run a paid bounty but will publicly credit researchers (with consent).
Audits and certifications
PsyForge is in alpha; no SOC 2 or ISO 27001 certification yet. We track those programs internally and will publish target dates before public launch.
Questions or concerns? Email us at legal@psyforge.dev