Security

1. Our Security Philosophy

Stone AI is designed to be local-first by default. Security is foundational to every layer of the platform — not an afterthought. We believe you should have full control over your data and how it is processed.

2. Local vs. Non-Local Processing

Local mode (Free, Starter, Plus tiers): All AI processing is performed entirely on Stone AI's own infrastructure. Your prompts, conversations, and data never leave our servers and are never transmitted to any third party.

Smart and Cloud modes (Smart, Pro tiers): When you opt into Smart or Cloud mode, your data is transmitted to third-party AI providers for processing. In these modes, your data is subject to those providers' own privacy policies and data handling practices. Smart and Cloud modes are strictly opt-in — you always have the option to remain on Local mode for complete data sovereignty.

3. Encryption

Data at rest: Sensitive data is protected using industry-standard encryption. Credentials and API keys are stored securely and are never persisted in plaintext.

Data in transit: All communication between your browser and our servers is encrypted using modern transport-layer security. HTTPS is enforced across the entire platform with no exceptions.

4. Abuse Prevention

All endpoints are protected by automated threat detection and rate limiting. This prevents brute-force attacks, credential stuffing, API abuse, and denial-of-service attempts. Repeated violations result in temporary or permanent access restrictions.

5. Browser Security

Stone AI enforces a comprehensive set of browser security policies on every response. These protections defend against cross-site scripting, clickjacking, protocol downgrade attacks, and unauthorized resource loading. All policies are continuously reviewed and updated to reflect current best practices.

6. Origin Protection

API access is restricted to authorized origins only. Requests from unauthorized sources are rejected at the server level, preventing third-party websites or scripts from interacting with Stone AI's services on behalf of authenticated users.

7. Authentication

Stone AI uses an enterprise-grade authentication provider for session management, token issuance, and identity verification. Authentication tokens are short-lived and automatically rotated. Users can authenticate via email or supported social login providers.

8. Payment Security

All payment processing is handled by a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment card industry. Stone AI never stores, processes, or has access to your full credit card number, CVV, or banking details. We retain only the minimum identifiers necessary for billing management.

9. Input Sanitization

All user-submitted content — including chat messages, forum posts, and feedback — is validated and sanitized before processing and storage. Input validation is enforced on both the client and server side to protect against injection-based attacks.

10. Audit Logging

Stone AI maintains security audit logs to support rapid incident response and forensic analysis. Logging covers security-relevant events across the platform and is continuously monitored for anomalous activity.

11. Data Usage and AI Training

Stone AI does not use your conversations or prompts to train AI models when using Local mode. When using Smart or Cloud modes, your data is transmitted to third-party AI providers whose data handling practices are governed by their own policies. Anonymized, aggregated usage patterns may be used to improve service quality and platform performance across all modes.

12. Compliance

Stone AI's security practices are aligned with industry-recognized frameworks for data protection, access control, vulnerability management, and incident response. We regularly review and update our controls to meet evolving standards and regulatory expectations.

13. Infrastructure Security

Our production infrastructure is protected by enterprise-grade network security, encrypted in transit and at rest, and continuously monitored for threats. Origin servers are shielded behind multiple layers of protection to prevent unauthorized access and ensure high availability.

14. Responsible Disclosure

We take security vulnerabilities seriously and appreciate the work of security researchers who help keep Stone AI and its users safe. If you discover a security vulnerability, please report it responsibly.

Report vulnerabilities to: security@stone-ai.net

When reporting, please include:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• The potential impact of the vulnerability
• Any suggested remediation (optional but appreciated)

We ask that you give us reasonable time to investigate and address reported vulnerabilities before making any public disclosure. We will not take legal action against security researchers who act in good faith and comply with this responsible disclosure policy.

Stone AI develops AI-powered security and compliance tools as part of our platform offering. We work with security professionals across our reseller and enterprise programs to bring these capabilities to organizations at scale. If your background is in security and our mission resonates with you, we'd welcome a conversation — careers@stone-ai.net.

15. Contact

For security-related questions, concerns, or vulnerability reports, contact us at security@stone-ai.net. For general support inquiries, contact support@stone-ai.net.