Security

Your data security is our top priority.

How We Protect Your Data

Encryption

• In transit: All data transmitted using TLS 1.3 encryption
• At rest: Sensitive data encrypted using AES-256
• Passwords: Hashed using bcrypt with salt

Infrastructure Security

• Hosting: Enterprise-grade cloud infrastructure (Vercel, Supabase)
• Authentication: Secure auth via Clerk (SOC 2 Type II certified)
• Payments: PCI-DSS compliant via Stripe
• Databases: Isolated with row-level security (RLS)

Access Controls

• Multi-factor authentication (MFA) available
• Role-based access control for team plans
• Session management with automatic timeouts
• API rate limiting to prevent abuse

AI Processing Security

Anthropic Claude

• Data processed via Anthropic's secure API
• Zero retention: Anthropic does not store or train on your data
• SOC 2 Type II certified infrastructure
• GDPR and CCPA compliant

Data Isolation

• Each user's data is isolated in the database
• No cross-user data access
• Secure file storage with access controls

Compliance

We adhere to industry security standards:

• GDPR: European data protection compliance
• CCPA: California privacy rights
• SOC 2: Service organization controls (via providers)
• OWASP: Web application security best practices

Vulnerability Management

Security Practices

• Regular security audits
• Automated vulnerability scanning
• Dependency updates and patching
• Code review for all changes
• Penetration testing (annual)

Incident Response

• 24/7 monitoring for security events
• Incident response plan in place
• User notification within 72 hours of breaches
• Coordinated disclosure for vulnerabilities

Data Backup & Recovery

• Automated backups: Daily encrypted backups
• Retention: 30-day backup retention
• Disaster recovery: Tested recovery procedures
• Geographic redundancy: Multi-region backup storage

Third-Party Security

We carefully vet all third-party services:

| Service | Purpose | Certification | |---------|---------|---------------| | Clerk | Authentication | SOC 2 Type II | | Stripe | Payments | PCI-DSS Level 1 | | Anthropic | AI Processing | SOC 2 Type II | | Vercel | Hosting | SOC 2, ISO 27001 | | Supabase | Database | SOC 2 Type II |

User Security Best Practices

Protect Your Account

• ✅ Use a strong, unique password
• ✅ Enable two-factor authentication
• ✅ Never share your credentials
• ✅ Log out on shared devices
• ✅ Review account activity regularly

Report Security Issues

Found a vulnerability? We appreciate responsible disclosure:

📧 security@pmexa.com

We typically respond within 24 hours and will:

• Acknowledge receipt of your report
• Investigate and validate the issue
• Work on a fix with appropriate urgency
• Credit researchers (with permission)

Data Requests

Access Your Data

• Download your data anytime from settings
• Export all documents, specs, and analysis
• Portable formats (JSON, Markdown, PDF)

Delete Your Data

• Delete account in settings
• Data removed within 30 days
• Backups purged within 90 days

Security Updates

We continuously improve security:

• Weekly dependency updates
• Monthly security reviews
• Quarterly penetration tests
• Annual third-party audits

---

Questions?

For security inquiries: security@pmexa.com For general support: support@pmexa.com

Last security audit: February 2025