Security at Psyth

All traffic to psyth.psypher.ai is served over HTTPS with HSTS preload. Data at rest is encrypted with AES-256 in our managed Postgres provider.

• ·TLS 1.2+ enforced on every endpoint
• ·HSTS preload (max-age 2 years, includeSubDomains)
• ·AES-256 encryption at rest for primary data store

Psyth supports email + password (Argon2id-hashed), Google and Microsoft OAuth, and enterprise SSO via SAML 2.0 and OIDC.

• ·SAML 2.0 SSO (Okta, Entra ID, OneLogin, JumpCloud) — Enterprise plan
• ·OIDC SSO — Enterprise plan
• ·SCIM 2.0 user provisioning — Enterprise plan
• ·Optional MFA for password-based accounts

Workspace-scoped RBAC governs every read and write. Roles include Owner, Admin, Manager, Member, and Guest, with per-resource overrides on projects and boards.

• ·Per-organization data isolation enforced at the database level
• ·Per-project visibility controls (private, team, organization)
• ·Audit log of permission changes

Our AI agent operates strictly within the calling user's permissions. Every tool call is authorized, logged, and (for high-risk actions) confirmed before execution. Your data is never used to train foundation models.

• ·Per-call RBAC authorization on every AI tool invocation
• ·Confirmation prompts before bulk or destructive operations
• ·Per-organization rate limits to prevent runaway agent loops
• ·Full AI audit log: who, what, when, with reasoning trace
• ·No-train guarantees with our inference providers

Sensitive actions (auth events, permission changes, data exports, AI tool calls) are written to an append-only audit log accessible to workspace owners.

• ·12-month retention on Pro, 36-month on Enterprise
• ·Exportable to JSON or CSV
• ·Streamable to your SIEM via webhook on Enterprise

Continuous WAL-based replication with point-in-time recovery to any second within the last 7 days. Daily encrypted snapshots retained for 30 days.

Annual third-party penetration testing planned for Q3 2026. Coordinated disclosure program available today via [email protected].

We are actively pursuing SOC 2 Type II. Observation period is in progress; report expected late 2026. Customers under NDA can request our current security questionnaire.

Psyth processes personal data in accordance with the GDPR. We act as data processor for customer-uploaded data and offer EU data residency on the Enterprise plan.