Security, described plainly.
Your customers trust you with their data, and you trust us with it. This page lists what protects that data today — and, just as clearly, what is still on our roadmap. No twists, no marketing gloss.
Six layers, all live.
Encryption everywhere
Your data is encrypted while it is stored (AES-256) and while it moves between systems (TLS 1.2+). Passwords are hashed with bcrypt; API keys are stored only as hashes, never in plain text.
Database-level tenant isolation
Core multi-tenant tables — including all conversation, memory, knowledge-base, and audit data — have PostgreSQL Row Level Security enabled and forced. A request scoped to one business physically cannot read another business's rows on those tables, even if application code had a bug. Application-level tenant filtering protects every other multi-tenant table; we are extending RLS to the remaining tables in a follow-up migration tracked in our infrastructure state document.
Authenticated by default
Every API request is authenticated. Dashboard sessions use signed JWT tokens; programmatic access uses scoped API keys with per-key rate limits. Team members get only the permissions their role needs.
Hardened infrastructure
Services run on AWS in private networks, and database endpoints are not publicly reachable. Deployments use short-lived OIDC credentials from GitHub Actions — there are no long-lived cloud keys to leak.
Audit logging
Security-relevant actions are written to an append-only audit log — including data-access requests, deletions, and AI safety events. It is the same evidence trail a compliance auditor reviews.
Privacy & data rights
GDPR-aligned data handling, with working endpoints for data access (Article 15) and deletion (Article 17). Per-tenant retention policies purge data on a schedule you control.
The measures already in place.
Every item below is implemented in our platform today. If it is not on this list, assume it is not live yet — check the roadmap.
- PostgreSQL Row Level Security enabled and FORCED on core multi-tenant tables (conversation, memory, knowledge-base, audit); extension to remaining tables in progress
- AES-256 encryption at rest; TLS 1.2+ on every connection
- Passwords hashed with bcrypt; API keys stored as hashes, never in plain text
- Webhook payloads verified with an HMAC signature before they are processed
- Append-only audit log for security and privacy events
- Per-tenant and per-API-key rate limiting to contain abuse
- Cloud deploys use short-lived OIDC credentials — no long-lived keys stored in CI
- Working GDPR data-access and right-to-deletion endpoints
- Two-layer AI guardrails, including outbound PII redaction
What we are still building.
Security is never finished, and we will not pretend otherwise. These items are in progress or planned — they are not live yet.
- SOC 2: Type I readiness is largely complete; the Type II audit window is planned to begin in Q3 2026
- Daily encrypted PostgreSQL backups (pg_dump-based, with cross-region replication)
- Multi-factor authentication for dashboard accounts
- Cookie-consent controls across our websites
- External penetration testing ahead of general availability
- Signed data-processing agreements (DPAs) with every AI subprocessor — in place with some, in progress with others
Vulnerability Disclosure Policy
We welcome feedback and reports from security researchers to help keep our platform and customer data safe. If you believe you have discovered a security vulnerability in our service, please report it to us privately and responsibly.
How to report
Please email your findings to support@partython.com. To help us understand and resolve the issue quickly, please include:
- A detailed description of the vulnerability and its potential impact.
- Clear steps to reproduce the issue (including proof-of-concept code, requests, or screenshots).
- Your contact details and preferred name for acknowledgement.
Our commitment
We review all reports within 48 hours and work to resolve verified issues promptly. If you act in good faith, provide us reasonable time to fix the issue before public disclosure, and do not access or destroy customer data, we commit to not taking legal action or suspending your account.
How we talk about security
We try to describe our security in plain language. When something is on our roadmap rather than live, we say so on this page instead of blurring the line. If you need the current state of our certifications, our list of subprocessors, or a copy of our data-processing agreement for a procurement review, get in touch — we are glad to share the detail.
Ready to deploy your AI agents?
Join businesses transforming customer engagement with intelligent, multi-channel AI agents.