Skip to content
Prysm:ID Docs

Security model

This page exists so when your enterprise customer audits you, you have something to paste into the response without writing from scratch. Organized by the questions we actually get.

Isolation

Section titled “Isolation”

Do you share a database with other tenants? No. Each workspace has its own dedicated instance with its own schema in Postgres. No cross-workspace shared table except the control plane (billing, Prysm:ID’s own audit), which contains no PII of your end users.

Is there a network path between instances? Instances don’t talk to each other. One instance can’t query another, not even through a misconfiguration: they live in separate networks.

What if the control plane is breached? The control plane can orchestrate workspaces (create, suspend, read config) but can’t read your end users’ credentials. Passwords live hashed (bcrypt) inside the workspace’s instance, never leave it.

Encryption

Section titled “Encryption”

At rest: Postgres with AES-256 volume-level encryption. Snapshots and backups also encrypted.

In transit: TLS 1.3 enforced on every public endpoint (auth.*.prysmid.com, api.prysmid.com, app.prysmid.com). The control plane talks to your instance over internal TLS too; no plain traffic on any hop.

Application-level: any service-account credentials the control plane needs to operate your instance are encrypted with Fernet before persisting.

Keys and token signing

Section titled “Keys and token signing”

Each instance has its own key store. id_token and access_token are signed with RS256 by default. Public keys are exposed via JWKS at https://auth.<slug>.prysmid.com/oauth/v2/keys.

Rotation: signing keys rotate automatically. The old key stays valid for a grace period. Your client must follow JWKS dynamically, not cache a fixed key (most OIDC libraries do this right by default).

Audit

Section titled “Audit”

Who does what inside your instance: the native audit log records every event (signup, login, logout, password change, IdP linking, role grant, app registration). Access it via your instance’s admin API, or via the dashboard at app.prysmid.com → audit.

Who touches the control plane: separate audit log for admin actions on app.prysmid.com (which workspace member changed what). Visible from the dashboard.

Retention: 90 days on Pro, 1 year on Enterprise. Free, 30 days.

Portability — the “exit plan”

Section titled “Portability — the “exit plan””

If you want to leave Prysm:ID today, you can:

  1. Export. Go to Settings → Export on the workspace. You download a full dump of your instance (users, IdPs, projects, apps, roles, branding) in standard format.

  2. Stand up your own infrastructure. The auth engine underneath is open source and self-hostable. Any server with Postgres works. Realistic operation is days, not months.

  3. Import the dump. Users, IdPs, apps, branding — everything restores.

  4. Point your DNS. auth.acme.prysmid.com you point yourself (CNAME to your server) or change the issuer in your app. Tokens issued before stay valid until expiry.

  5. Cancel Prysm:ID. Delete the workspace from the dashboard. The instance is deleted; backups purge at 90 days.

Compliance

Section titled “Compliance”
StandardStatus
SOC 2 Type IIIn progress (target: Q3 2026).
LGPDCompliant (processor, contract available). Dedicated workspaces help posture.
Habeas Data (Argentina, Colombia)Compliant.
GDPRCompliant (processor). DPA available on Enterprise.
HIPAANo (out of scope today).
PCI-DSSWe don’t process cards — Stripe does.

Report vulnerabilities

Section titled “Report vulnerabilities”

[email protected] or PGP key at https://prysmid.com/.well-known/security.txt. Acknowledgment within 24h. Bug bounty pending; we handle responsible disclosure case-by-case meanwhile.