Security

We take the security of your mental health data seriously. Here's exactly what we do to protect it.

Last reviewed: February 2026

Penetration Testing

Prompt & Pause undergoes regular independent penetration testing by specialist security firms. We publish our testing programme and remediation status openly.

Akido Security

Automated + manual penetration testing

Akido provides continuous automated security scanning combined with expert-led manual penetration testing. Their platform covers OWASP Top 10, API security, and business logic vulnerabilities.

OWASP Top 10API TestingAuth FlowsContinuous Scanning

HostedScan

Vulnerability scanning & monitoring

HostedScan runs scheduled vulnerability scans across our infrastructure, network, and web application layers. Results are reviewed and triaged by our team on every scan cycle.

Network ScanningCVE DetectionSSL/TLS ChecksScheduled Scans

Testing cadence: continuous automated scanning + manual penetration tests on every major release and at minimum quarterly.

What We Test

Authentication & Session Management

Injection Attacks

SQL injection, XSS, CSRF, CSV injection, command injection

API Security

Rate limiting, authentication headers, endpoint enumeration, IDOR

Access Controls

Horizontal & vertical privilege escalation, RLS policy validation

Data Exposure

Sensitive data in responses, error messages, logs, and headers

Business Logic

Subscription bypass, gifted subscription abuse, tier enforcement

Most Recent Assessment

February 2026 — Full application penetration test. All findings remediated or accepted with documented rationale.

Critical

High

Medium

Low / Informational

Remediation Status

Content Security Policy (CSP) hardenedResolved

Security response headers (HSTS, X-Frame-Options, etc.)Resolved

Rate limiting on all authentication endpointsResolved

CSV injection sanitisation in data exportsResolved

Admin OTP brute-force protectionResolved

JWT verification optimised (fast-path claims)Resolved

Responsible Disclosure: We do not publish full pentest reports publicly to avoid providing a roadmap for attackers. Summaries like this page are our commitment to transparency without compromising security.

Our Security Practices

Encryption at Rest & in Transit

All data is encrypted using AES-256 at rest and TLS 1.2+ in transit. Reflection text is additionally encrypted at the application layer before storage.

Row-Level Security (RLS)

Supabase RLS policies ensure users can only access their own data. Every table has enforced policies — no shared data access is possible at the database level.

Zero Data Training Policy

Your reflection data is never used to train AI models. We have zero-retention agreements with all AI providers (OpenAI, Groq, Anthropic).

Dependency Scanning

Automated dependency vulnerability scanning runs on every commit via GitHub Actions. Critical CVEs trigger immediate patching workflows.

Least Privilege Access

Internal team access follows least-privilege principles. Production database access is restricted, logged, and requires MFA.

Incident Response

We have a documented incident response plan. In the event of a breach, affected users will be notified within 72 hours per GDPR Article 33 requirements.

Responsible Disclosure

If you discover a security vulnerability in Prompt & Pause, we ask that you report it to us privately before public disclosure. We commit to acknowledging your report within 48 hours and providing a remediation timeline within 7 days.

Report a vulnerability:

Email: security@promptandpause.com

Please include: affected URL or endpoint, steps to reproduce, potential impact, and your contact details. We do not pursue legal action against good-faith security researchers.

Questions About Security?

We're transparent about how we protect your data. Reach out anytime.