§ SecurityLast reviewed · 10 May 2026
Boring on purpose.
Industry-standard practices, applied carefully and audited regularly.
Encryption
- TLS 1.3 in transit.
- AES-256 at rest (Postgres, object storage, backups).
- Per-environment secrets stored in your host’s vault — never committed.
Access control
- Postgres row-level security on every table; agents are scoped to their owner.
- Service-role keys are used only by server routes that handle public chat traffic.
- Production database access is two-person, time-bound, and logged.
Reporting a vulnerability
Email security@resposai.com. We respond within one business day. We do not chase researchers who act in good faith.
Incident history
None to date. Future incidents will be posted to our status page and summarised in the changelog.