Skip to content
Persona Pal is in beta — join now for free access and discounted pricing when paid plans launch.

Security you can put your name behind

Personas often contain sensitive, proprietary knowledge about your users and customers. Persona Pal is built so that knowledge stays yours — fully isolated, encrypted, and never used to train anything.

Strict tenant isolation

An organisation’s data is visible only to that organisation’s members. Even the product owner cannot access an org account’s content. No cross-tenant access, ever.

Enterprise auth

SSO via SAML/OIDC (Azure AD / Entra first), enforced; SCIM for provisioning and deprovisioning; least-privilege role-based access control.

Encryption everywhere

Data is encrypted in transit (TLS) and at rest. Secrets and credentials are managed with least-privilege access.

Data residency & retention

Data residency options, plus a clear data-handling, retention and deletion policy you control.

Your content stays yours

We don’t train on customer data and we don’t share it with third parties. Even non-real customer names are treated as confidential.

Operational rigour

Audit logging, encrypted backups, incident response, and least-privilege internal access. SOC 2 is on our roadmap.

Our security commitments

This is the bar Persona Pal holds itself to as it moves from local MVP to a deployed product. We keep this honest: where something is on the roadmap rather than shipped, we say so.

Last updated: 13 June 2026

Tenant isolation

Persona Pal is multi-tenant by design, with strict logical isolation between organisations. An organisation’s personas, templates, notes and evidence are visible only to authenticated members of that organisation. The product owner and operators cannot access the contents of an org account. There is no cross-tenant access path, and access controls are enforced server-side on every request.

Authentication & access control

  • SSO: SAML/OIDC single sign-on, with Azure AD / Microsoft Entra ID supported first. SSO can be enforced for an organisation.
  • Provisioning: SCIM-based provisioning and deprovisioning so access follows your directory.
  • RBAC: least-privilege, role-based access within an organisation.

SSO, SCIM and RBAC are part of the Enterprise plan and are being rolled out as we deploy. See Pricing.

Encryption

All traffic is encrypted in transit using TLS. Data is encrypted at rest. Access to production systems and secrets is least-privilege and logged.

Proprietary-content stance

We treat all organisation content as confidential — even names that aren’t real customers can be proprietary. We do not train any model on your data, and we do not share your content with third parties for their own purposes.

Data residency, retention & deletion

We offer data residency options for Enterprise customers and provide a clear policy for how long data is retained and how it is deleted on request or on account closure.

Operational security

  • Audit logging of significant actions.
  • Regular, encrypted backups with tested restores.
  • A documented incident-response process.
  • Least-privilege internal access to production.
  • SOC 2 is a stated roadmap goal — we’re not claiming certifications we don’t yet hold.
  • A Data Processing Addendum (DPA) is available for Enterprise customers.

Analytics & cookies

We keep analytics privacy-respecting and are transparent about cookies. See our Privacy Policy for details on what we collect and why.

Reporting a concern

Found something, or have a compliance requirement we should know about? Email hello@personapal.io and we’ll respond promptly.

Make your personas living and useful.

Join the beta free. Suggest features and influence what ships next.

Join the beta

No credit card. No paywall during beta.