prodia.dev
Start Free
Prodia Systems Ltd

Security Documentation

Last updated: 29 May 2026

This document describes how Prodia Systems Ltd ("Prodia") protects the prodia.dev platform, responds to security incidents, handles coordinated vulnerability disclosure and manages data throughout its lifecycle. It is governed by the laws of Ireland and the law of the European Union, including Directive (EU) 2022/2555 ("NIS2") and Regulation (EU) 2016/679 ("GDPR"). For the detailed Vulnerability Disclosure Policy, see Vulnerability Disclosure; for data-retention specifics, see Data Retention & Deletion.

1. Security Programme

Prodia operates an information-security management system aligned with ISO/IEC 27001 principles. The programme is reviewed at least annually and after every material security event.

  • Access control: least-privilege, need-to-know basis with role-based and attribute-based enforcement. Multi-factor authentication is mandatory for every employee account and every administrative interface; phishing-resistant factors (WebAuthn / FIDO2) are required for privileged roles.
  • Cryptography: encryption in transit (TLS 1.2 or higher) and at rest using industry-standard algorithms and key management.
  • Infrastructure: network segmentation, hardened build pipelines, signed deployment artefacts and infrastructure-as-code with drift detection.
  • Vulnerability management: continuous dependency scanning, container scanning, infrastructure-as-code analysis and authenticated / unauthenticated production scanning on a recurring schedule. Annual independent penetration test, plus targeted tests on material changes.
  • Patch management: Critical vulnerabilities are remediated within 7 days, High within 30 days, Medium within 90 days and Low at the next maintenance window. Compensating controls are applied where immediate remediation is not possible.
  • Logging and monitoring: centralised security logging with tamper-evident storage, defined retention and 24/7 alerting for high-severity events.
  • Personnel: mandatory security training on onboarding and at least annually thereafter; background checks for personnel with privileged access where lawful; confidentiality and IP-assignment obligations for every member of personnel.
  • Sub-processors: due diligence and contractual security obligations for every third party that processes customer or personal data.

2. Secure Development Lifecycle

  • Threat modelling on material new features and any change to security-sensitive surfaces.
  • Static analysis, software-composition analysis, secret scanning and license analysis on every pull request.
  • Two-person review for code touching authentication, authorisation, cryptography, data export, customer-data paths or billing.
  • Production deploys are versioned, observable and reversible. Emergency change procedure exists with mandatory post-incident review.
  • Security champions are embedded in product teams; direct production writes are prohibited.

3. Incident Response

Prodia maintains a documented incident-response plan that covers the full lifecycle: detection, triage, containment, eradication, recovery and post-incident review. The plan is exercised at least annually.

3.1 Detection and triage

  • Automated alerting on anomalies in access patterns, data volumes, error rates and infrastructure health.
  • An on-call security engineer is reachable through a defined escalation path; major incidents trigger a cross-functional response team.
  • Every potential incident is assigned a severity (Critical, High, Medium, Low) based on confidentiality, integrity and availability impact.

3.2 Containment and eradication

  • Immediate isolation of affected systems, credential rotation and revocation of compromised sessions.
  • Forensic artefacts are preserved in tamper-evident storage with chain of custody.
  • Root-cause analysis is performed before re-enabling affected services.

3.3 Recovery and review

  • Services are restored in a staged manner with enhanced monitoring.
  • A post-incident review is conducted within 5 business days; findings are tracked to closure.
  • Lessons learned are fed back into the security programme, threat models and training materials.

3.4 Breach notification

In the event of a confirmed personal-data breach, Prodia will notify affected customers without undue delay and assist them in meeting their obligations under Articles 33 and 34 GDPR. Where applicable, Prodia will also comply with notification obligations under NIS2 and the EU AI Act. Notification includes: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

4. Data Handling Practices

Prodia handles data in accordance with the storage-limitation principle in Art. 5(1)(e) GDPR and the confidentiality obligations in its customer agreements.

4.1 Classification

  • Customer content (repository data, prompts, generated outputs): treated as confidential; processed only for the purpose of delivering the Service and never used to train models without explicit contractual authorisation.
  • Personal data: handled in accordance with the Privacy Policy and the Data Processing Addendum; limited to what is necessary for account management, billing, support and legal compliance.
  • Telemetry and audit logs: retained for security, debugging and compliance purposes on defined schedules.
  • Billing and tax records: retained for 6 years in accordance with Irish revenue and company law.

4.2 Retention and deletion

  • Account and identity data: life of account plus 12 months, then deleted or anonymised.
  • Customer repository content: duration of subscription plus 30-day wind-down for export, then deleted on customer instruction or 90 days after termination by default.
  • Telemetry and audit logs: 12–24 months in active systems, subject to longer retention for security, legal hold or regulatory obligation.
  • Active-system deletion is performed within 30 days of trigger event. Encrypted backups are overwritten on a 35-day rotation schedule, after which data is no longer recoverable.
  • Records under legal hold are exempt from scheduled deletion for the duration of the hold.

4.3 Sub-processors and transfers

Prodia uses sub-processors for infrastructure, analytics and support. Each sub-processor is bound by data-processing agreements that impose at least the same security and confidentiality standards. Transfers outside the European Economic Area rely on approved transfer mechanisms (Standard Contractual Clauses with supplementary technical measures where required). See International Data Transfers for details.

5. Vulnerability Disclosure

Prodia welcomes coordinated disclosure of security vulnerabilities in accordance with ISO/IEC 29147:2018 and ENISA guidance on CVD. For the full policy, response timelines, scope and safe-harbour terms, see the Vulnerability Disclosure Policy.

  • Reporting: email security@prodia.dev with a clear technical description, reproduction steps and supporting evidence. PGP key and security.txt are published at /.well-known/security.txt.
  • Scope: prodia.dev, *.prodia.dev, official Prodia-hosted APIs, SDKs and downloadable clients. Third-party services, social engineering, denial-of-service testing and purely theoretical findings without proof of concept are out of scope.
  • Safe harbour: Prodia will not initiate or support legal action against researchers acting in good faith and in compliance with the published policy, provided they avoid privacy violations, do not exfiltrate or destroy data beyond the minimum necessary, and hold disclosure for a reasonable remediation period (ordinarily 90 days).
  • Response timelines: acknowledgement within 3 business days; initial triage and severity assessment within 10 business days; status updates at least every 14 days until resolution.

6. Customer Responsibilities

Security is a shared responsibility. Customers are expected to:

  • Maintain strong credentials for their Prodia accounts and enable multi-factor authentication where offered.
  • Report suspected unauthorised access or anomalies to security@prodia.dev promptly.
  • Ensure that any data they upload does not contain malware, illegal content or material that violates the Acceptable Use Policy.
  • Keep their contact information current so that Prodia can reach them during a security event.

7. Governing Law

This document is governed by the laws of Ireland. Nothing in it limits rights or remedies available under mandatory provisions of Irish or EU law. In the event of any conflict between this document and the Terms of Service, the Terms of Service prevail.

Prodia Systems Ltd
27 Pembroke Street Upper, Dublin 2, D02 X361, Ireland
Contact: legal@prodia.dev