polymorph
← Legal

Security Policy

Last updated June 19, 2026

Security is foundational to how we build Polymorph. This page describes the practices and controls we use to protect the data entrusted to us. We treat security as an ongoing program and continue to invest as we grow.

Infrastructure

The Services run on established cloud infrastructure providers that maintain robust physical and environmental security for their data centers. We rely on managed services to reduce our attack surface and to keep underlying systems patched and current.

Encryption

Data is encrypted in transit using TLS. Data at rest is encrypted using industry standard algorithms. Secrets and credentials are stored in dedicated secret management systems rather than in source code.

Access control

We follow the principle of least privilege. Access to production systems and customer data is limited to personnel who need it, is granted based on role, and is protected by strong authentication, including multi-factor authentication. Access is reviewed and revoked when no longer required.

Application and network security

We use code review and version control as part of our development process, monitor dependencies for known vulnerabilities, and apply updates promptly. Production environments are isolated and protected by network controls that restrict access to only what is necessary.

Monitoring and logging

We log relevant system and application events and monitor our environment for anomalous activity so that we can detect and respond to issues.

Resilience and backups

We maintain backups of critical data and design our systems for availability and recovery, so that we can restore service in the event of a disruption.

Vendor management

We review the security practices of the sub-processors and vendors we rely on and require appropriate data protection commitments from them. A description of how we engage sub-processors is available in our Data Processing Agreement.

People

Team members receive security guidance appropriate to their role and are bound by confidentiality obligations. We limit access to sensitive systems and data to those who require it for their work.

Incident response

We maintain an incident response process to investigate, contain, and remediate security events. If an incident affects customer data, we will notify affected customers consistent with our commitments and applicable law.

Compliance

We align our practices with widely recognized security standards and data protection laws, including the GDPR and the CCPA where applicable. We will update this page as our program matures. If you have specific compliance questions, please reach out.

Reporting a vulnerability

We welcome reports from security researchers. If you believe you have found a vulnerability, please contact us at founders@usepolymorph.com with details so we can investigate. We ask that you give us a reasonable opportunity to address the issue before public disclosure, and that you avoid accessing or modifying data that is not yours.

© 2026 Polymorph, Inc.founders@usepolymorph.com