Security

Security Overview

Effective date: TODO — set on legal approval

AI draft— pending legal & owner review; not legally binding.

1. Introduction

ShipReady Metrics ("ShipReady", "we", "us"), operated by Persoon.ai Inc., is a multi-tenant B2B SaaS platform that ingests, normalizes, and analyzes engineering and operational metrics for customer organizations. This overview describes the security practices and architecture we use to protect customer data. It is an AI-generated draft published for transparency and must be reviewed by the company owner and counsel before being relied upon.

This document describes our current and intended controls in plain language. Where a control is aspirational or in progress, we say so. It does not assert any certification, audit, or report that we have not obtained.

2. Compliance Posture

We are building our security program toward recognized industry frameworks. We design controls with these frameworks in mind, but we do not currently claim to hold the certifications or reports below unless and until they are formally obtained.

ItemStatus
SOC 2 (Type I / Type II)Not yet obtained — in progress; see Trust Center for current status
ISO/IEC 27001Not yet obtained — under evaluation; see Trust Center
Independent penetration testNot yet completed / planned — results published in Trust Center when available
GDPR / data protection alignmentIn progress — DPA and subprocessor disclosures maintained; counsel review pending

For the authoritative, current status of any certification, audit, or report, refer to our Trust Center. If you require specific evidence for a vendor assessment, contact us at security@persooninc.com.

3. Data Protection and Encryption

We protect customer data both at rest and in transit using strong, industry-standard cryptography.

  • Encryption at rest: the database and object storage are encrypted at rest by our managed data platform (Supabase) and the underlying cloud infrastructure (AES-256).
  • Encryption in transit: all connections to the application and APIs are protected with TLS; plaintext transport is not used for customer data.
  • Secrets management: API keys, tokens, and credentials are stored as managed environment secrets and are not committed to source control.
  • Connector credentials: OAuth tokens for connected sources (such as GitHub) are additionally encrypted by the application with AES-256-GCM before storage, and are used only to perform the connector’s authorized functions.

Key management for encryption at rest is provided by our database and storage platform (Supabase) and the underlying cloud infrastructure. We minimize the personal data we collect to what is needed to operate the service.

4. Tenant Isolation and Access Controls

ShipReady Metrics is multi-tenant: multiple customer organizations share the same application and database while their data is logically isolated. Isolation is enforced at the database layer using Postgres row-level security (RLS) policies, so that queries are scoped to the authenticated tenant and users cannot access data belonging to another organization. Application-level authorization checks complement RLS so that tenant scoping is enforced consistently across API routes and background jobs. We treat tenant isolation as a critical control and verify it as part of our testing.

Within an organization, access to customer data is governed by role-based access control (RBAC). The org_role assigned to each member maps to their responsibilities:

RoleTypical Capabilities
AdminManage organization settings, members, roles, and connected sources.
EngineerView and work with metrics, dashboards, and connected engineering data.
ExecutiveView reporting, dashboards, and high-level metrics with reduced administrative access.

Authentication is provided through our platform’s auth layer (Supabase Auth). The following capabilities are supported or planned depending on plan and configuration:

  • Multi-factor authentication (MFA) to strengthen account sign-in.
  • Single sign-on (SSO) and SCIM provisioning for enterprise identity integration — availability depends on plan and configuration; confirm for your deployment.
  • Least-privilege internal access: ShipReady personnel access to production systems and customer data is limited to what is necessary for support and operations.

The exact availability of SSO, SCIM, and MFA enforcement options should be confirmed for your plan. Where features are described as planned, they are not a current contractual commitment.

5. Secure Development Lifecycle

We aim to integrate security into how we build and ship the product rather than treating it as an afterthought.

  • Code is managed in version control with peer review before changes are merged.
  • Automated checks (including type checking and tests) run in continuous integration to catch defects early.
  • Dependencies are monitored and updated to address known vulnerabilities.
  • Secrets scanning and environment hygiene practices help prevent credentials from being committed to source control.

Our SDLC controls are evolving with the product, and formalization of all practices is ongoing.

6. Logging, Monitoring, and Audit Trail

We maintain operational logging and monitoring to support reliability, troubleshooting, and security investigation.

  • Application and platform logs capture operational events and errors from our hosting and database providers.
  • Security-relevant actions within the application (such as administrative and access changes) are recorded to an append-only audit log to support an audit trail.
  • We monitor for errors and anomalous behavior and investigate alerts as part of operations.

Log retention periods and the precise scope of audit logging are being formalized and should be confirmed against the executed customer agreement where specific retention commitments are required.

7. Threat and Vulnerability Management

We work to identify and remediate vulnerabilities across our application and dependencies.

  • Dependency and platform vulnerabilities are monitored, prioritized by severity, and remediated through updates.
  • We follow secure configuration practices for our hosting, database, and connectors.
  • Independent penetration testing is planned; when completed, summary results or attestation will be made available through the Trust Center under NDA where appropriate.

We have not asserted a completed independent penetration test. If you discover a potential vulnerability, please report it to security@persooninc.com so we can investigate and respond.

8. Business Continuity and Disaster Recovery

Our resilience approach builds on the managed reliability of our hosting and database providers, supplemented by our own backup and recovery practices.

  • Customer data is stored in a managed Postgres database (Supabase) that provides platform-level durability and backup capabilities.
  • We maintain backup and restore practices intended to allow recovery of customer data in the event of data loss.
  • Hosting on Vercel and the underlying cloud infrastructure provides redundancy at the platform level.

Formal recovery objectives (RPO/RTO) and documented, regularly tested disaster recovery runbooks are being developed. We do not currently assert tested, contractually guaranteed recovery objectives; any such commitments are governed by the executed customer agreement.

9. Contact

For security questions, vulnerability reports, or vendor security assessments, contact our security team. For the current status of certifications and reports, see our Trust Center.

  • Security contact: security@persooninc.com
  • Data protection contact: info@persooninc.com
  • Legal entity: Persoon.ai Inc., 525 Randall Ave Ste 100 PMB 228, Cheyenne, WY 82001

AI draft— pending legal & owner review; not legally binding.

Back to Legal