Security Policy

Last Updated: September 19, 2025

1. Security Commitment

PM33 is committed to protecting your data through comprehensive security measures designed to safeguard your strategic intelligence and product information.

2. Infrastructure Security

2.1 Cloud Infrastructure

  • Primary Hosting: AWS with multi-region redundancy
  • Database: Supabase with automatic backups
  • Vector Storage: Pinecone with isolated indexes
  • Compute: Railway with container isolation

2.2 Network Security

  • All traffic encrypted with TLS 1.3
  • Web Application Firewall (WAF) protection
  • DDoS mitigation
  • Private networking between services

3. Data Security

3.1 Encryption

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 for all data transmission
  • Key Management: Rotating encryption keys with secure storage

3.2 Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) available
  • Session management with automatic timeout
  • API key rotation and management

4. Application Security

4.1 Development Practices

  • Secure coding standards
  • Regular dependency updates
  • Static and dynamic code analysis
  • Peer code reviews

4.2 AI Security

  • Isolated processing environments
  • No training on customer data without consent
  • Prompt injection protection
  • Output validation and sanitization

5. Operational Security

5.1 Monitoring

  • 24/7 system monitoring
  • Automated threat detection
  • Security incident logging
  • Performance and availability tracking

5.2 Incident Response

  • Documented incident response procedures
  • Designated security team
  • 4-hour response time for critical incidents
  • Post-incident reviews and improvements

6. Compliance

6.1 Standards

  • SOC 2 Type II (in progress)
  • GDPR compliance for EU customers
  • CCPA compliance for California residents

6.2 Audits

  • Annual third-party security audits
  • Quarterly vulnerability assessments
  • Continuous penetration testing

7. Data Isolation

  • Customer workspaces are logically isolated
  • No cross-customer data access
  • Separate encryption keys per customer (Enterprise)
  • Dedicated infrastructure available (Enterprise)

8. Integration Security

  • OAuth 2.0 for third-party integrations
  • Minimal permission scopes
  • Token encryption and secure storage
  • Regular permission audits

9. Business Continuity

  • Daily automated backups
  • Point-in-time recovery capabilities
  • Disaster recovery plan with RTO of 4 hours
  • Geographically distributed backups

10. Security Reporting

To report security vulnerabilities:

  • Email: security@pm-33.com
  • Expected response: Within 24 hours
  • Bug bounty program: Coming Q1 2026

11. Employee Security

  • Background checks for all employees
  • Security training and awareness programs
  • Signed confidentiality agreements
  • Principle of least privilege access

12. Physical Security

  • Data centers with 24/7 security
  • Biometric access controls
  • Environmental monitoring
  • Redundant power and cooling systems
Terms of ServiceData Processing Agreement

For questions about this document, contact legal@pm-33.com