Document · Security Assessment

Security assessment.

Summary of Pondral's security assessment posture.

Last internal audit June 2026Third-party pentest Not yet conductedCritical findings 0 open

Current status

Pondral has not yet undergone a formal third-party penetration test. A third-party assessment is planned as the product scales.

Internal security audits are conducted periodically. The most recent (June 2026) covered the full application surface: authentication, multi-tenant isolation, API authorization, SSRF prevention, rate limiting, and server-side error handling.

Internal audit scope (June 2026)

Production application (web, API), authentication and authorization flows, multi-tenant isolation (RLS + application-level gates), audit-pipeline workers, and webhook endpoints.

All findings from the June 2026 internal audit have been remediated and deployed (PRs #127–#132).

Ongoing practices

Continuous dependency scanning via GitHub Dependabot with prompt patches for critical CVEs. Row-level security enforced on all tenant-scoped tables. SSRF prevention on all user-controlled URL fetches.

Responsible disclosure policy at /security.txt. We acknowledge receipt within one business day and triage within five.

For security questions or to request a customer-specific assurance package, email hello@pondral.com.

Last updated June 2026Run a free audit →