Security
Security is a first-class feature
We treat security not as a checkbox but as a core product requirement. Here's how we protect your data and your users.
Encryption
- AES-256 encryption at rest for all stored data (Neon Postgres)
- TLS 1.3 for all data in transit
- API keys managed via Unkey with hashed storage
- Database credentials managed through provider-level secrets (Neon, Vercel)
Infrastructure
- Application hosted on Vercel with edge network and automatic failover
- Database hosted on Neon serverless Postgres with connection pooling
- Rate limiting at API and pre-auth layers via Upstash Redis
- CI/CD pipeline with lint, typecheck, test, and build gates on every change
Access controls
- Tenant-scoped data isolation enforced at every API endpoint
- API key authentication via Unkey with per-tenant scoping
- User authentication via Clerk sessions and organization context
- Enterprise SAML SSO for supported organization workspaces
- Role-based access control with Owner, Admin, Editor, and Viewer roles
Application security
- Automated linting and type checking in CI/CD pipeline
- Dependency scanning via GitHub Dependabot
- Security headers enforced (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
- Input validation on all API endpoints via Zod schemas
Compliance & certifications
SOC 2 Type II
In progressETA Q3 2026
GDPR
CompliantCCPA
CompliantISO 27001
PlannedETA 2027
HIPAA BAA
Available on EnterpriseResponsible disclosure
We take all security reports seriously. If you discover a vulnerability in our platform, please report it responsibly. We commit to:
- Acknowledge your report within 24 hours
- Provide a timeline for resolution within 5 business days
- Not pursue legal action against good-faith reporters
- Credit you in our Hall of Fame (unless you prefer anonymity)
In scope: person.run web application, API, and SDKs.
Out of scope: Social engineering, physical attacks, third-party services.
Sub-processors
We use the following sub-processors to deliver the Service. All are bound by data processing agreements.
VercelApplication hosting & edge functionsGlobal
NeonPostgreSQL database hostingUS
UpstashRedis caching, rate limiting & job queuesGlobal
PolarSubscription billing & payment processingUS
ClerkUser authentication & session managementUS
UnkeyAPI key management & verificationGlobal
OpenAIAI model inference (default provider)US
SentryError tracking & observabilityUS
Have a security question that isn't a vulnerability report?