Seedlingseedling
Registruj se

Security Policy

How Seedling protects the platform, its infrastructure, and user data.

Last updated: April 10, 2026.

1. Overview

This policy describes the security practices applied by Prometheus Works LLC(“Seedling”) to protect the platform, its infrastructure, and the personal data of its users.

2. Transport security

All communication between users and the platform is encrypted using HTTPS with TLS 1.2 or above, enforced at the AWS CloudFront layer. All API calls to third-party services (Zoom, Stripe, Clerk, Anthropic, Mailjet, Google) are made exclusively over HTTPS. HTTP connections are redirected to HTTPS. Strict-Transport-Security (HSTS) headers are applied to all responses.

3. Authentication and authorization

User authentication is delegated to Clerk, a dedicated identity provider. Clerk handles password hashing, session management, multi-factor authentication support, and token issuance. Seedling never stores passwords. All authenticated API routes validate the Clerk session token on every request. Internal system-to-system calls use a separate service token with no user-level privileges.

4. Data storage security

The primary database (PostgreSQL on AWS RDS) enforces SSL on all connections and is deployed within a private VPC, inaccessible from the public internet. DynamoDB tables in production are encrypted using AWS KMS. S3 buckets use server-side encryption and are not publicly accessible except for explicitly designated static assets. OAuth tokens (Zoom, Google) are stored encrypted and are only accessible server-side.

5. Application security

All Zoom API calls and OAuth token operations are performed exclusively server-side. No tokens or secrets are exposed to client-side JavaScript. Environment variables and secrets are managed through SST/AWS Secrets Manager and are never committed to source control. Static Application Security Testing (SAST) is performed on the codebase using CodeQL via GitHub.

6. Access control

Production database and infrastructure access is restricted to authorized personnel only. Access follows the principle of least privilege. All administrative actions on the platform require authentication and role-based authorization checks.

7. Incident response

In the event of a suspected security incident or data breach, Seedling will:

  1. identify and contain the incident,
  2. assess the scope and impact,
  3. notify affected users and relevant authorities as required by applicable law (including GDPR 72-hour notification requirement where applicable),
  4. remediate the root cause, and
  5. document the incident and corrective actions taken.

To report a security vulnerability, contact dpo@prometheusworks.co.

8. Third-party dependencies

Third-party libraries are managed via npm. Dependencies are reviewed for known vulnerabilities. Security patches are applied promptly upon availability.

9. Policy review

This policy is reviewed annually or following any significant security incident or infrastructure change.

Contact: dpo@prometheusworks.co.