Skip to main content
PYRAMYD

Legal

Security Policy

Last Updated: June 30, 2026

PYRAMYD Inc. (“PYRAMYD,” “we,” “us,” or “our”) is committed to safeguarding the confidentiality, integrity, and availability of your data. This Security Policy outlines the technical, organizational, and procedural measures we use to protect your information.

1. Security at Our Core

Security is a fundamental principle guiding our development and operational decisions. We continuously monitor, assess, and enhance our security posture to anticipate and counter evolving threats.

2. Infrastructure and Architecture

PYRAMYD runs on Microsoft Azure with a small set of vetted providers chosen for their strong security and compliance practices. The current external providers that process data are listed on our Sub-processors page.

  • Microsoft Azure (primary cloud): Compute, Azure Database for PostgreSQL with Zone-Redundant high availability, Blob storage, and Azure Key Vault for secrets and encryption keys — hosted within Microsoft's SOC 2 and ISO 27001 certified infrastructure.
  • Vercel (web hosting & edge CDN): Hosts our public web properties on a SOC 2 Type II compliant platform with network isolation, encryption in transit, and continuous monitoring.
  • Okta (Auth0) (authentication & identity): Single sign-on, OAuth/OIDC, and multi-factor authentication (MFA), with secure session handling and adaptive controls.
  • Cloudflare (DNS, CDN & WAF): Edge delivery and a web application firewall that filters malicious traffic before it reaches our systems.
  • OpenAI, Azure OpenAI & Anthropic (AI inference): Power our AI features over encrypted (TLS) connections. These providers do not use our data to train their models, and we minimize the personal data sent to them.

3. Compliance & Certifications

Our security and privacy program is built around recognized standards and regulations:

  • SOC 2 Type 2: We maintain controls mapped to the SOC 2 Trust Services Criteria (security, availability, and confidentiality). Our current report or attestation status is available under NDA through our Trust Center.
  • ISO/IEC 27001 (information security): Our information-security management practices are aligned to the ISO 27001 control framework.
  • ISO/IEC 42001 (AI management): Our AI features are governed by an AI management approach aligned to ISO 42001 — including provider due-diligence, no training on customer data, human oversight, and transparency (see our Privacy Policy).
  • GDPR & CCPA/CPRA: We support data-subject and consumer rights as described in our Privacy Policy, and enter data-processing agreements (DPAs) with customers on request via legal@pyramyd.ai.

4. Network and Access Controls

We rely on managed, serverless platforms that reduce the risk surface:

  • Microsoft Azure and Vercel's networking infrastructure, firewalls, and encryption-at-rest protect system boundaries.
  • We enforce the principle of least privilege (PoLP) and role-based access control (RBAC) to limit data and system access.
  • Continuous logging and monitoring detect unusual behavior early.

5. Data Protection

We apply industry-standard encryption and safeguards:

  • In Transit: All data transmitted between clients and PYRAMYD uses TLS/SSL, ensuring data is encrypted in transit.
  • At Rest: Data stored in Azure (including Azure Database for PostgreSQL) is encrypted using AES-256, with keys managed in Azure Key Vault. Backups are also encrypted and tested periodically for integrity.

6. Identity and Authentication

Okta (Auth0) integrates with your existing identity providers, extending their security policies (e.g., MFA, single sign-on, adaptive authentication) to our platform. This ensures robust identity verification and secure session management.

7. Patch Management and Regular Updates

We promptly apply security patches and updates to our application framework and dependencies. Continuous Integration/Continuous Deployment (CI/CD) pipelines and automated testing ensure that updates do not introduce security regressions.

8. Billing & Payments

Where payment processing applies, we use a PCI-DSS Level 1 compliant payment provider. Sensitive cardholder data never touches our servers, reducing our exposure and ensuring secure transactions.

9. Logging, Monitoring, and Incident Response

Application monitoring and error-tracking tools help us monitor application health, track performance, and detect potential anomalies. We maintain an incident response plan for any security events, which includes isolating issues, remediation steps, and timely notifications to affected customers as required by law and contracts.

10. Backups and Disaster Recovery

We perform regular, encrypted backups of customer and system data. Microsoft Azure infrastructure, with Zone-Redundant high availability, ensures durability, and periodic testing of backup integrity supports rapid restoration if needed.

11. Contact Us

For questions, concerns, or more information about our security practices, please contact us:

Security enquiries and vulnerability reports: security@pyramyd.ai.