Security

Last updated: March 16, 2026

Prody is built to handle sensitive product analytics data. This page describes the technical and organizational measures we use to protect your data. If you have security questions or need to report a vulnerability, contact security@prody.com.

1. Infrastructure

Prody is hosted on Railway (US data centers). The application and database run on Railway's managed infrastructure with automatic TLS termination, private networking between services, and infrastructure-level encryption at rest.

• HTTPS everywhere - all traffic is encrypted in transit via TLS 1.2+. HTTP requests are automatically redirected to HTTPS. Strict-Transport-Security headers are enforced.
• Private database networking - the PostgreSQL database is only accessible via Railway's internal network. No public database endpoint is exposed in production.
• Environment isolation - all secrets (API keys, JWT secrets, database credentials) are stored as environment variables in Railway, never in source code.

2. Data Isolation

Every customer's data is isolated at the database query level. Every query in every route, job, and API endpoint is scoped by tenant ID. There is no shared data between tenants - one customer can never access another customer's events, accounts, users, signals, or analytics.

Multi-product workspaces use the same isolation model. Each product is a separate tenant with its own API key and fully independent data.

3. Authentication

• Passwords - stored as bcrypt hashes (cost factor 10). Plaintext passwords are never stored or logged.
• Sessions - managed via httpOnly, Secure, SameSite=Strict cookies containing signed JWTs. Sessions expire after 24 hours. Cookies are not accessible via JavaScript.
• API keys - used for SDK ingestion and server-to-server communication. Prefixed with pk_ for easy identification. Cached with 5-minute TTL and negative caching for invalid keys.
• Email verification - required before login. Verification tokens expire after 24 hours.

4. Application Security

• Security headers - Helmet.js enforces Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Permissions-Policy.
• XSS protection - all user-supplied content (notes, labels, chat responses, signal titles) passes through HTML escaping before rendering. A shared escHtml() utility is used across all pages.
• CSRF protection - SameSite=Strict cookies prevent cross-site request forgery. The browser only sends session cookies on same-origin requests.
• SQL injection prevention - all database queries use parameterized statements ($1, $2, ...). No string interpolation in SQL.
• Input validation - max length enforcement on all string inputs, HTML tag stripping, email format validation, control character rejection.
• Rate limiting - applied to login (10 per 15 minutes), signup (5 per 15 minutes), and API endpoints (100 per minute).
• Error sanitization - stack traces and raw database errors are never returned to clients in production. Errors are logged server-side only.

5. Data at Rest

• Database encryption - PostgreSQL data is encrypted at rest via Railway's infrastructure-level encryption.
• Export security - temporary export files are stored with random 24-character hex IDs (acting as auth tokens) and automatically cleaned up after 1 hour.
• CSV import protection - uploaded CSV files are validated for content type and scanned for formula injection (=, +, -, @ at cell start).

6. AI Data Handling

Prody uses Anthropic's Claude API for AI features (Signals explanations, Ask Prody chat, Correlation Discovery). When AI features are used, relevant data is sent to Anthropic for processing.

• Anthropic does not use your data to train AI models.
• AI requests are scoped to the current tenant - no cross-tenant data is ever included in prompts.
• Daily token budgets limit AI usage per tenant (default: 2M tokens/day).
• Lazy AI explanations mean zero API calls are made for inactive tenants - AI processing only happens when a user requests it or when the nightly jobs run.

7. Cookies

Prody uses a single strictly necessary cookie (prody_session) for authentication. No tracking cookies, advertising cookies, or third-party analytics cookies are used.

• httpOnly (not accessible via JavaScript)
• Secure (only sent over HTTPS)
• SameSite=Strict (not sent on cross-site requests)
• 24-hour expiration

8. Sub-Processors

We use a limited number of third-party services to operate Prody. Each is evaluated for security practices.

• Anthropic (San Francisco, CA) - AI processing for Signals, Ask Prody, and Discoveries
• Railway (San Francisco, CA) - Application and database hosting
• Resend (San Francisco, CA) - Transactional email (verification, welcome, notifications)
• Cloudflare (San Francisco, CA) - DNS management and marketing site hosting

We notify customers at least 30 days before adding a new sub-processor. See our Sub-Processors page for the current list.

9. Compliance

• GDPR - Prody supports GDPR compliance with built-in PII tools: user data lookup, data export (CSV), anonymization, and full deletion. Data Processing Agreements are available on request.
• CCPA - California residents can exercise their rights through the same PII tools. We do not sell personal information.
• Data retention - configurable per tenant. Admins set retention policies in Settings. Automated nightly cleanup enforces retention limits.
• SOC 2 - planned. We are building toward SOC 2 Type I certification. Contact us for our current security questionnaire.

10. Incident Response

We maintain a formal incident response procedure with 4-level severity classification (P0-P3), defined response times, and a 5-step process: Contain, Assess, Notify, Remediate, Post-Incident Review.

In the event of a data breach affecting your data, we will notify affected customers within 72 hours in accordance with GDPR requirements. Notifications include the nature of the breach, data affected, remediation steps taken, and contact information.

11. Responsible Disclosure

If you discover a security vulnerability in Prody, please report it to security@prody.com. We ask that you:

• Provide enough detail to reproduce the issue
• Give us reasonable time to address the vulnerability before public disclosure
• Do not access or modify other customers' data

We appreciate security researchers who help us keep Prody safe and will acknowledge valid reports.

12. Contact

For security questions, concerns, or to request our security questionnaire, contact security@prody.com.

For privacy-related inquiries, see our Privacy Policy or contact privacy@prody.com.