Precedent
Log inBack

Security Policy

Last updated: January 2025

Security Overview

Precedent implements enterprise-grade security measures to protect your data. We use AES-256 encryption, OAuth 2.0 authentication, and operate according to AICPA Trust Services Criteria while working toward SOC 2 Type II attestation.

Data Encryption

Encryption at Rest

  • AES-256 encryption for all stored data
  • Database encryption with Supabase
  • Encrypted backups with separate keys
  • Key rotation every 90 days

Encryption in Transit

  • TLS 1.3 for all communications
  • HTTPS enforced for all connections
  • Certificate pinning for API calls
  • Perfect Forward Secrecy (PFS)

Access Controls & Authentication

OAuth 2.0 Authentication

All Gmail access uses Google's OAuth 2.0 with the principle of least privilege:

  • • Read-only access by default
  • • Graduated permissions (send access only after 20 approved actions)
  • • User-controlled permission levels
  • • Revocable at any time through Google

Multi-Factor Authentication

  • Required for all admin accounts
  • TOTP (Time-based One-Time Password)
  • Hardware security keys supported
  • Session timeout after 8 hours

Role-Based Access Control

  • Principle of least privilege
  • Regular access reviews (quarterly)
  • Row-level security in database
  • Automatic access revocation on termination

Infrastructure Security

Cloud Security

  • SOC 2 Type II in progress - AICPA Trust Services Criteria
  • Network segmentation and firewalls
  • DDoS protection and rate limiting
  • Regular security updates and patches

Monitoring & Logging

  • 24/7 security monitoring
  • Automated threat detection
  • Comprehensive audit logging
  • Real-time alerting for anomalies

Incident Response & Recovery

Incident Response Plan

Response Timeline

  • • Detection: Real-time monitoring
  • • Assessment: Within 15 minutes
  • • Containment: Within 1 hour
  • • Investigation: Within 4 hours
  • • Recovery: Within 24 hours
  • • Post-incident review: Within 72 hours

Communication

  • • Internal team notification
  • • User notification (if required)
  • • Regulatory reporting (if required)
  • • Public disclosure (if required)
  • • Post-incident transparency report

Data Recovery

  • Daily encrypted backups with 30-day retention
  • Geographically distributed backup storage
  • Regular backup testing and restoration
  • Recovery Time Objective (RTO): 4 hours

Compliance & Certifications

Current Certifications

  • SOC 2 Type II (target: Q2 2025)
  • ISO 27001 (planned)
  • GDPR compliance
  • CCPA compliance

Security Assessments

  • Annual penetration testing
  • Quarterly vulnerability scans
  • Continuous security monitoring
  • Third-party security audits

Current Security Maturity

Security Controls Already in Place

While working toward SOC 2 Type II attestation, we already implement robust security controls that demonstrate our commitment to protecting your data:

Technical Controls

  • AES-256 encryption for all data at rest
  • TLS 1.3 encryption for all data in transit
  • OAuth 2.0 with multi-factor authentication
  • Row-level security in database
  • Automated vulnerability scanning

Operational Controls

  • 24/7 security monitoring and alerting
  • Incident response procedures
  • Regular security training for staff
  • Access controls and user management
  • Data backup and recovery procedures

AI Security & Prompt Injection Prevention

Prompt Injection Defense

User emails could theoretically contain malicious prompts attempting to manipulate our AI. We prevent this through:

  • Input sanitization: Email content is wrapped in XML tags so the AI treats it as data, not instructions
  • Output validation: All AI responses are parsed with strict JSON schemas; invalid outputs are rejected
  • Confidence thresholds: Suspiciously high or low urgency scores trigger manual review flags

Data Minimization & Privacy

Zero Data Retention Policy

We implement strict data minimization principles:

  • • Email content stored for maximum 21 days
  • • AI processes emails ephemerally (no permanent storage)
  • • No training on personal data
  • • Automatic deletion after retention period
  • • User-controlled data deletion
  • • Complete data removal on account closure

Privacy by Design

  • Data collected only for stated purposes
  • User control over data processing
  • Transparent data usage policies
  • Regular privacy impact assessments

Security Contact Information

For security-related questions, vulnerability reports, or security incidents:

Security Team: security@getprecedent.ai
Vulnerability Reports: security@getprecedent.ai
Incident Response: security@getprecedent.ai
General Support: hello@getprecedent.ai

Security Vulnerability Disclosure: We appreciate responsible disclosure. Please report security vulnerabilities to security@getprecedent.ai and allow us time to address the issue before public disclosure.

Updates to Security Policy

We regularly review and update our security practices. This policy may be updated to reflect changes in our security measures, compliance requirements, or industry best practices. We will notify users of any material changes to this security policy.