Security

Security is not a feature.
It is the foundation.

PRISM is built for engineering teams who handle sensitive AI infrastructure. Every layer of the stack is designed with security as a first-class constraint.

AES-256

Encryption at rest

TLS 1.3

In-transit security

4hr

Critical incident SLA

0

Data retained on simulation

Principles

How we protect your data

From zero data retention to encrypted storage, every design decision prioritizes the security of your pipeline configurations and simulation results.

01

Zero data retention on simulation

PRISM simulates pipeline behavior using synthetic traffic models. No actual user data, prompts, or API responses are stored during simulation runs. Results are ephemeral by default — persisted only when you explicitly export.

02

No model API calls

Simulations do not make real calls to OpenAI, Anthropic, or any third-party model provider. PRISM uses Monte Carlo behavioral models calibrated against empirical public benchmarks to project latency, token usage, and cost.

03

Encryption at rest and in transit

All data is encrypted with AES-256 at rest and TLS 1.3 in transit. Pipeline definitions, simulation configurations, and exported reports are encrypted before storage.

04

SOC 2 Type II in progress

We are actively pursuing SOC 2 Type II compliance. Our infrastructure runs on AWS with VPC isolation, and we conduct quarterly penetration testing with third-party security firms.

Practices

Defense in depth

Infrastructure

  • Hosted on AWS with multi-AZ redundancy
  • VPC-isolated compute with no public ingress to internal services
  • Automated vulnerability scanning on every deployment
  • Infrastructure as code — all changes are audited and version-controlled

Application

  • Role-based access control with granular permissions
  • Session tokens with short expiry and automatic rotation
  • Rate limiting and abuse detection on all API endpoints
  • Content Security Policy headers on all web responses

Organizational

  • Mandatory security training for all engineering staff
  • Background checks for employees with production access
  • Incident response plan with 4-hour SLA for critical issues
  • Responsible disclosure program for external researchers

Compliance

Compliance roadmap

Complete

Penetration testing (Q1 2026)

Complete

AES-256 encryption at rest

Complete

TLS 1.3 in transit

In progress

SOC 2 Type II audit

Planned

ISO 27001 certification

Planned

HIPAA compliance module

Disclosure

Report a vulnerability

If you discover a security vulnerability in PRISM, please report it responsibly. We commit to acknowledging reports within 24 hours and resolving critical issues within 72 hours.

security@getprism.dev
24 hours

Acknowledgement of report

48 hours

Initial assessment and severity classification

72 hours

Resolution for critical vulnerabilities

7 days

Fix deployed for high-severity issues