FeaturesPricingDocs
Sign InGet Started

Security

Last updated: April 23, 2026

Security is foundational to everything we build at Pernoex. Your product's knowledge is one of your most valuable assets, and we treat it that way.

Your data is encrypted in transit and at rest. We never use your content to train AI models. Each project is fully isolated. All credentials are encrypted before storage and decrypted only in-memory during active use.

1. Authentication & Identity

Pernoex supports email and password authentication, Google Sign-In (OAuth 2.0 / OpenID Connect), and Apple Sign In. Passwords are hashed using bcrypt before storage — plaintext passwords are never written to disk or logged.

All accounts can enable two-factor authentication (2FA) using TOTP-compatible apps (Google Authenticator, Authy, 1Password, etc.). Downloadable backup codes are provided at enrollment for account recovery. Sessions are invalidated server-side on logout and on password change.

2. Data Encryption

All data in transit is protected by TLS 1.2 or higher. Data at rest is encrypted at the storage layer.

Sensitive credentials — including OAuth tokens, Slack bot tokens, third-party integration tokens, and API secrets — are encrypted using AES-256-GCM before being written to the database. They are decrypted only in-memory during active request processing and are never logged or exposed in plaintext.

3. Data Isolation

Every project operates in its own isolated environment. Documents, embeddings, conversations, and analytics are scoped to the individual project and cannot be accessed across project or customer boundaries. All database queries are scoped to the authenticated customer's record set — cross-tenant data access is structurally prevented at the query layer.

4. Access Controls

Pernoex uses role-based access control with three levels: Owner, Admin, and Member. Owners have full control over billing and team management. Admins can manage projects and settings. Members can interact with the platform within assigned projects. Invitation links are time-limited and can be revoked at any time.

All state-mutating API endpoints require a valid authenticated session plus a CSRF token. Session cookies are scoped to the customer-facing domain and are marked HttpOnly and Secure.

5. Webhook & API Security

All inbound webhooks (Slack events, Stripe billing events, voice callbacks) are verified using HMAC-SHA256 signatures against the provider's signing secret before any payload is processed. Requests with timestamps older than five minutes are rejected to prevent replay attacks.

Public project API keys are scoped per project and can be rotated at any time from the dashboard. Server-side and administrative operations always require authenticated sessions — public keys cannot access management or billing endpoints.

6. Infrastructure

Pernoex runs on hardened cloud infrastructure (AWS) with encrypted storage volumes, private networking between services, and automated backups. Services communicate over internal VPC networking — the database, cache, and queue services are not exposed to the public internet. All external traffic terminates at the application layer after TLS inspection.

7. Domain Restrictions

Project owners can restrict which domains are permitted to load the Pernoex widget and API integration. Requests from unlisted origins are rejected at the CORS layer. This prevents unauthorized embedding and ensures your cognition layer only runs on your approved properties.

8. Third-Party Integrations

OAuth tokens for third-party knowledge sources (Confluence, GitHub, Notion, Slack) are encrypted at rest using AES-256-GCM. When you disconnect an integration from the dashboard, the stored token is immediately deleted and the authorization is revoked with the provider. Pernoex requests only the minimum scopes required for each integration to function.

9. Dependency & Vulnerability Management

We run automated dependency audits on every build and apply security patches promptly. We monitor for known CVEs in our dependency tree and pin critical packages to patched versions. Our build toolchain enforces Go toolchain version pinning to ensure stdlib security patches are included.

10. Vulnerability Disclosure Program

This program covers all Pernoex products and services, including the Pernoex platform, API, dashboard, Slack app, and all integration endpoints.

If you discover a security vulnerability in any Pernoex product, please report it to [email protected]. Include as much detail as possible: a description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code or screenshots.

Our commitments to researchers:

  • We will acknowledge receipt of your report within 48 hours.
  • We will provide a remediation timeline within 5 business days of confirming the vulnerability.
  • We will notify you when the vulnerability has been resolved.
  • We will credit researchers who responsibly disclose valid vulnerabilities (unless you prefer to remain anonymous).

We ask that researchers follow responsible disclosure: please allow us reasonable time to remediate before any public disclosure, and do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.

11. Contact

For security-related enquiries or to report a vulnerability:

For general privacy questions, see our Privacy Policy.