Security

ProsodyAI employs a defense-in-depth security strategy that combines multiple layers of technical controls, operational processes, and organizational policies. We follow the principle of least privilege and implement zero-trust architecture across our infrastructure.

Our security program is continuously reviewed and improved. We conduct regular third-party penetration tests, internal security reviews, and automated vulnerability scanning as part of our ongoing commitment to protecting your data.

Cloud Infrastructure

Our Services are hosted in enterprise-grade cloud infrastructure with redundant availability zones to ensure high availability and resilience against hardware failures and regional outages.

• Geographically distributed deployments for low latency and redundancy
• Load balancers with DDoS protection and rate limiting at the edge
• Automated failover and health monitoring across all critical services
• Network segmentation: public-facing services, application layer, and data layer are isolated in separate VPCs
• Regular backups with point-in-time recovery capabilities
• Infrastructure-as-code (IaC) for reproducible, auditable deployments

Physical Security

Our cloud infrastructure providers maintain SOC 2 Type II certification and operate facilities with 24/7 physical security, biometric access controls, surveillance systems, and redundant power supplies.

Network Security

• Web Application Firewall (WAF) protecting all public endpoints
• Intrusion Detection System (IDS) monitoring for anomalous traffic patterns
• Private networking between internal services — inter-service communication never traverses the public internet
• Strict egress filtering to prevent unauthorized data exfiltration
• BGP-level DDoS mitigation with automatic traffic scrubbing

Data in Transit

• All client-server communication is encrypted with TLS 1.3 (TLS 1.2 minimum)
• HTTP Strict Transport Security (HSTS) enforced with a 1-year max-age directive
• Internal service-to-service communication encrypted with mutual TLS (mTLS)
• Certificate management via automated rotation to eliminate expiration risk

Data at Rest

• All stored data, including audio files, databases, and backups, encrypted with AES-256-GCM
• Encryption keys managed by a dedicated Key Management Service (KMS) with hardware security module (HSM) backing
• Keys rotated automatically every 90 days
• Database-level encryption applied to all PostgreSQL instances

Credential Security

• User passwords hashed with bcrypt (cost factor ≥ 12) — never stored in plaintext
• API keys stored as SHA-256 hashes with a plaintext prefix for identification only
• Session tokens are cryptographically random, short-lived JWTs (15-minute access tokens)
• Refresh tokens are single-use and securely rotated on each use

Role-Based Access Control (RBAC)

All access to platform resources is governed by a strict RBAC system. Users are assigned only the minimum permissions necessary to perform their functions (principle of least privilege).

Internal Access

• Production system access is restricted to a small number of authorized engineers
• All access requires multi-factor authentication (MFA) via hardware security keys
• SSH access to production servers requires certificate-based authentication with short-lived certificates (4-hour TTL)
• All administrative actions are logged in an immutable audit trail
• Just-in-time (JIT) access provisioning for elevated privileges — elevated access expires automatically
• Regular access reviews: quarterly for production access, monthly for privileged accounts

User Authentication

• JWT-based authentication with 15-minute access token expiry
• Secure HTTP-only, SameSite=Strict cookies for session management
• Account lockout after 10 consecutive failed login attempts
• Suspicious login detection with email alerts for new device or location sign-ins

All customer data is logically isolated. Your audio files, synthesis history, and account data are accessible only through authenticated API calls tied to your account credentials. No cross-tenant data access is possible by design.

• Tenant isolation enforced at the database level via row-level security policies
• Object storage buckets use server-side encryption with per-tenant key prefixes
• API rate limiting is enforced per-account to prevent resource contention between tenants
• Voice clone models are stored in isolated namespaces and never shared between accounts

Continuous Scanning

• Automated dependency scanning on every code commit using industry-standard tooling
• Container image scanning for known CVEs before deployment to production
• Infrastructure configuration scanning to detect security misconfigurations (CIS benchmarks)
• Static Application Security Testing (SAST) integrated into CI/CD pipelines
• Dynamic Application Security Testing (DAST) run weekly against staging environments

Penetration Testing

We engage qualified third-party security firms to perform annual penetration tests against our infrastructure and applications. Critical findings are remediated within 7 days; high-severity findings within 30 days.

Patch Management

• Critical security patches applied within 24 hours of disclosure
• High-severity patches applied within 7 days
• All other patches applied within 30 days
• Zero-downtime deployment strategy for security updates

We maintain a documented Incident Response Plan (IRP) that is tested annually through tabletop exercises.

Response Phases

• Detection & Triage: automated monitoring alerts the on-call security team within minutes of anomaly detection
• Containment: affected systems are isolated to prevent lateral movement within 1 hour
• Investigation: root cause analysis conducted by our security engineering team
• Recovery: systems restored from verified clean backups with integrity validation
• Post-Incident Review: lessons learned documented and process improvements implemented

User Notification

In the event of a data breach affecting your personal information, we will notify you within 72 hours of confirmed discovery, as required by GDPR and applicable regulations. Notification will include the nature of the breach, data categories affected, likely consequences, and measures taken or proposed.

Status Updates

Real-time service status and incident updates are published at our status page. Subscribe for email or webhook notifications.

Compliance reports and attestations are available to enterprise customers upon request under NDA. Contact security@prosodyai.ai to request documentation.

We believe that responsible disclosure of security vulnerabilities helps protect our users and the broader internet. We invite security researchers to report potential vulnerabilities in our Services.

How to Report

Please submit vulnerability reports to security@prosodyai.ai. Encrypt sensitive reports using our PGP key (available on request).

Our Commitments to Researchers

• Acknowledge receipt of your report within 2 business days
• Provide a timeline for resolution within 10 business days
• Keep you informed of our progress throughout the remediation process
• Credit researchers in our security acknowledgments (if desired)
• Not pursue legal action against researchers who follow responsible disclosure practices

Scope

In-scope targets include all *.prosodyai.ai domains and our published APIs. Out-of-scope items include third-party services, physical security attacks, and social engineering.