Pantry Persona Icon
Pantry Persona

Security Policy

Last updated: March 31, 2026

Reporting a Vulnerability

If you discover a security vulnerability in Pantry Persona, we appreciate your help in disclosing it to us responsibly. Please report vulnerabilities by emailing:

hello@pantrypersona.com

Please include as much detail as possible: a description of the vulnerability, steps to reproduce, potential impact, and any suggested remediation. We will acknowledge receipt within 2 business days.

Responsible Disclosure

We follow a 90-day responsible disclosure window:

  • We will acknowledge your report within 2 business days.
  • We will provide an initial assessment within 10 business days.
  • We aim to remediate confirmed vulnerabilities within 90 days of the initial report.
  • We will notify you when the issue has been resolved.
  • We ask that you do not publicly disclose the vulnerability until we have had an opportunity to address it.

In Scope

  • The Pantry Persona web application at www.pantrypersona.com
  • The MCP server endpoint at www.pantrypersona.com/api/mcp
  • OAuth 2.0 authorization and token endpoints
  • API endpoints under www.pantrypersona.com/api/

Out of Scope

  • Denial of service attacks
  • Social engineering or phishing of Pantry Persona staff or users
  • Attacks requiring physical access to a user's device
  • Third-party services integrated with Pantry Persona (report these to the respective provider)

Our Security Practices

  • Authentication: OAuth 2.1 with PKCE, hashed tokens, 1-hour access token expiry, 30-day refresh token rotation.
  • Data isolation: Row-level security policies ensure users can only access their own data.
  • Encryption: All data in transit is encrypted via TLS. HSTS is enforced with preload.
  • Rate limiting: Per-user and per-IP rate limiting on all API and MCP endpoints.
  • Input validation: All inputs validated with strict schemas. PII is redacted from logs.
  • MCP security: Least-privilege OAuth scopes, tool-level authorization, and audit logging for all MCP tool calls.
  • Infrastructure: Hosted on Vercel with automatic security patches and DDoS protection.

Contact

For security concerns, email hello@pantrypersona.com.

For general support, email hello@pantrypersona.com.