Skip to main content

Security

Last updated: March 14, 2026

1. Our Security Philosophy

Stone AI is designed to be local-first by default. Security is foundational to every layer of the platform — not an afterthought. We believe you should have full control over your data and how it is processed.

2. Local vs. Non-Local Processing

Local mode (Free, Starter, Plus tiers): All AI processing is performed entirely on Stone AI's own infrastructure. Your prompts, conversations, and data never leave our servers and are never transmitted to any third party.

Smart and Cloud modes (Smart, Pro tiers): When you opt into Smart or Cloud mode, your data is transmitted to third-party AI providers for processing. In these modes, your data is subject to those providers' own privacy policies and data handling practices. Smart and Cloud modes are strictly opt-in — you always have the option to remain on Local mode for complete data sovereignty.

3. Encryption

Data at rest: Sensitive data is protected using AES-256-GCM encryption, aligned with OWASP Top 10 A02 (Cryptographic Failures) guidelines. Credentials and API keys are stored securely and are never persisted in plaintext.

Data in transit: All communication between your browser and our servers is encrypted using TLS with HTTPS enforced across the entire platform. No exceptions.

4. Abuse Prevention

All endpoints are protected by automated threat detection and rate limiting. This prevents brute-force attacks, credential stuffing, API abuse, and denial-of-service attempts. Repeated violations result in temporary or permanent access restrictions.

5. Browser Security

Stone AI enforces Content Security Policy (CSP) headers, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security on every response — aligned with OWASP Top 10 A05 (Security Misconfiguration) guidelines and NIST CSF PR.IP requirements. These protections defend against cross-site scripting, clickjacking, protocol downgrade attacks, and unauthorized resource loading.

6. Origin Protection

API access is restricted to authorized origins only. Requests from unauthorized sources are rejected at the server level, preventing third-party websites or scripts from interacting with Stone AI's services on behalf of authenticated users.

7. Authentication

Stone AI uses Clerk for authentication with server-side session verification, short-lived tokens with automatic rotation, and secure identity management — aligned with OWASP Top 10 A07 (Identification and Authentication Failures) and OWASP ASVS V2/V3 requirements. Users can authenticate via email or supported social login providers.

8. Payment Security

All payment processing is handled by a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment card industry. Stone AI never stores, processes, or has access to your full credit card number, CVV, or banking details. We retain only the minimum identifiers necessary for billing management.

9. Input Sanitization

All user-submitted content — including chat messages, forum posts, and feedback — is validated using strict schema validation (Zod) and sanitized before processing and storage. Database queries are parameterized via Prisma ORM to prevent SQL injection. These controls are aligned with OWASP Top 10 A03 (Injection) guidelines and CWE-20/CWE-89 mitigations.

10. Audit Logging

Stone AI maintains security audit logs to support rapid incident response and forensic analysis. Logging covers security-relevant events across the platform and is continuously monitored for anomalous activity.

11. Data Usage and AI Training

Stone AI does not use your conversations or prompts to train AI models when using Local mode. When using Smart or Cloud modes, your data is transmitted to third-party AI providers whose data handling practices are governed by their own policies. Anonymized, aggregated usage patterns may be used to improve service quality and platform performance across all modes.

12. Security Frameworks

Stone AI's security practices are aligned with the following recognized frameworks:

  • OWASP Top 10 (2021) — Web application security risk mitigation across all 10 categories
  • OWASP ASVS Level 1 — Application security verification baseline for input validation, authentication, session management, and cryptography
  • NIST Cybersecurity Framework (Protect Function) — Access control, data security, and protective technology controls
  • CWE/SANS Top 25 — Prevention of the most dangerous software weaknesses including XSS, SQL injection, and improper input validation

"Aligned with" indicates that our controls follow the principles and recommendations of these standards. Stone AI has not undergone formal third-party certification audits for these frameworks.

13. Infrastructure Security

Our production infrastructure is protected by Cloudflare WAF and DDoS protection with Content Security Policy headers, rate limiting on all endpoints, and automated threat detection — aligned with NIST CSF Protect Function (PR.PT) requirements. Origin servers are shielded behind multiple layers of protection to prevent unauthorized access and ensure high availability.

14. Responsible Disclosure

We take security vulnerabilities seriously and appreciate the work of security researchers who help keep Stone AI and its users safe. If you discover a security vulnerability, please report it responsibly.

Report vulnerabilities to: [email protected]

When reporting, please include:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any suggested remediation (optional but appreciated)

We ask that you give us reasonable time to investigate and address reported vulnerabilities before making any public disclosure. We will not take legal action against security researchers who act in good faith and comply with this responsible disclosure policy.

Stone AI develops AI-powered security and compliance tools as part of our platform offering. We work with security professionals across our reseller and enterprise programs to bring these capabilities to organizations at scale. If your background is in security and our mission resonates with you, we'd welcome a conversation — [email protected].

15. Contact

For security-related questions, concerns, or vulnerability reports, contact us at [email protected]. For general support inquiries, contact [email protected].