parımTry Pariom →
Security & trust

Read-only by architecture.
Built to withstand outside scrutiny.

Pariom touches the most sensitive system a mid-market company runs — its books. We treat that responsibility as a hard architectural constraint, not a compliance checklist. This page is what we send your IT director.

All systems operationalBuilt on SOC 2-certified infrastructure · AWS · Supabase · Anthropic · Stripe
01 · Architecture

No write tokens. Ever.

The OAuth grants we request from QuickBooks, Xero, and other source systems are read-scoped. We cannot post a journal entry, modify a contact, or invoice a customer even if we wanted to. The lack of write capability is not a policy — it is the cryptographic limit of the tokens we hold.

Tenant model
Dedicated single-tenant Postgres instance per customer. No shared databases. Ever.
Storage region
AWS us-east-1 by default. eu-west-1 available on Team tier. Data never crosses regions.
Encryption at rest
AES-256-GCM via AWS KMS. Customer-managed keys available on Team tier.
Encryption in transit
TLS 1.3 in transit. Managed via AWS and Vercel infrastructure.
Authentication
OAuth 2.0 with PKCE for source systems. SAML SSO and SCIM on Team tier.
Backups
Continuous WAL streaming, 7-day point-in-time recovery, snapshot-and-test weekly.
Audit logging
Every query, model call, and surface render logged immutably for 90 days.
Deletion SLA
24 hours from disconnect or written request. Verified-by-engineer process.
02 · Compliance

Infrastructure compliance. Privacy law.

Infrastructure

We build on AWS, Supabase, Anthropic, and Stripe — all SOC 2 Type II certified.

GDPR

Data processing agreement available on request. Data subject requests handled within 30 days via security@pariom.ai.

CCPA

California residents can request deletion or access to personal data. Email security@pariom.ai.

HIPAA

Not in scope. Healthcare customers should not upload PHI.

03 · Subprocessors

Every vendor named. Every one audited.

Pariom does not subcontract data handling without disclosing it. The list below is the complete set of vendors who touch customer data.

AWS
Compute · storage · networking. us-east-1, us-west-2. SOC 2 Type II.
Anthropic
Claude — used for memo generation and Ask Pariom. Zero-day data retention configured.
Stripe
Billing only. No financial data from your books is sent to Stripe.
Supabase
Authentication only. Postgres databases are self-hosted on AWS, not on Supabase infra.
Datadog
Observability and logging. Customer financial data excluded from all traces.
1Password
Internal secrets management. SOC 2 Type II.

Full subprocessor list: /legal/subprocessors

04 · Disclosure

Found something? Tell us.

Write to security@pariom.ai. We respond inside 24 hours with an acknowledgment and a timeline. Bounty rewards scale with severity. We name researchers on this page once a fix ships.

Email security teamDownload DPA