PYRAMYD Logo

Security Policy

Last Updated: January 17, 2025

Pyramyd Inc. ("Pyramyd," "we," "us," or "our") is committed to safeguarding the confidentiality, integrity, and availability of your data. This Security Policy outlines the technical, organizational, and procedural measures we use to protect your information.

1. Security at Our Core

Security is a fundamental principle guiding our development and operational decisions. We continuously monitor, assess, and enhance our security posture to anticipate and counter evolving threats.

2. Infrastructure and Architecture

Our tech stack and third-party providers are chosen for their strong security and compliance practices:

  • Next.js (Full-Stack Framework): We use Next.js for both frontend and backend, benefiting from its integration with Vercel. Although Next.js itself is not certified, its security benefits derive from Vercel's secure, SOC 2 Type II compliant hosting environment.
  • Vercel (Hosting & Serverless Functions): The Pyramyd application is deployed on Vercel's serverless platform. Vercel is SOC 2 Type II compliant and provides secure infrastructure, network isolation, encryption in transit, and continuous monitoring. Learn more at Vercel Security.
  • Clerk (Authentication): Clerk handles user authentication and access management. Clerk is SOC 2 Type II compliant, offering multi-factor authentication (MFA), OAuth integrations, and secure session handling. More details: Clerk Security.
  • OpenAI (AI Features): Some AI-driven functionality may use OpenAI's APIs. While OpenAI does not currently have SOC 2 Type II certification, it uses industry-standard security practices, TLS encryption, and does not use provided data to train their models by default. We minimize personal data sent to OpenAI and review their evolving compliance stance. More info: OpenAI Security.
  • Stripe (Payment Processing): For payment processing, we use Stripe, a PCI DSS Level 1 Service Provider and SOC 2 Type II compliant platform. Stripe ensures secure payment handling, TLS encryption for data in transit, and robust fraud detection measures. More info at Stripe Security.

3. Ongoing Compliance Efforts

Pyramyd is working towards achieving SOC 2 Type II compliance. Our internal policies, procedures, and controls are aligned with SOC 2 standards. We will update this policy once certification is obtained.

4. Network and Access Controls

We rely on managed, serverless platforms that reduce the risk surface:

  • Vercel and Supabase's networking infrastructure, firewalls, and encryption-at-rest protect system boundaries.
  • We enforce the principle of least privilege (PoLP) and role-based access control (RBAC) to limit data and system access.
  • Continuous logging and monitoring detect unusual behavior early.

5. Data Protection

We apply industry-standard encryption and safeguards:

  • In Transit: All data transmitted between clients and Pyramyd uses TLS/SSL, ensuring data is encrypted in transit.
  • At Rest: Data stored within Supabase is encrypted using AES-256. Backups are also encrypted and tested periodically for integrity.

6. Identity and Authentication

Clerk's authentication mechanism integrates with existing identity providers, extending their security policies (e.g., MFA, adaptive authentication) to our platform. This ensures robust identity verification and secure session management.

7. Patch Management and Regular Updates

We promptly apply security patches and updates to Next.js, Prisma, and other dependencies. Continuous Integration/Continuous Deployment (CI/CD) pipelines and automated testing ensure that updates do not introduce security regressions.

8. Payment Handling with Stripe

Stripe is responsible for processing payments and maintains PCI DSS Level 1 certification, SOC 2 Type II compliance, and other global security standards. Sensitive payment data never touches our servers, reducing our exposure and ensuring secure transactions.

9. Logging, Monitoring, and Incident Response

Tools like Sentry and Amplitude help us monitor application health, track performance, and detect potential anomalies. We maintain an incident response plan for any security events, which includes isolating issues, remediation steps, and timely notifications to affected customers as required by law and contracts.

10. Backups and Disaster Recovery

We perform regular, encrypted backups of customer and system data. AWS/GCP-based infrastructure ensures durability, and periodic testing of backup integrity supports rapid restoration if needed.

11. Contact Us

For questions, concerns, or more information about our security practices, please contact us:

Pyramyd Inc.
1 Scenic Ct
Orinda, CA 94563
Email: info@pyramyd.ai
Phone: 844-PYR-AMYD