Security & privacy
How we keep your data safe.
stateful only works because people put real plans — and real details about their lives — into it. That sets a high bar. Here's exactly how the product is built to clear it, written plainly and limited to what's actually true. For the privacy posture in one breath, see Trust & data.
We never trust a claimed identity.
Every request proves who it's from before it does anything. There's no path that takes your word for it.
Every request is authenticated
Each request carries a cryptographically-signed token from our identity provider. The server verifies that signature on every request against the provider's public keys — nothing runs on an unverified token.
Issuer and audience are pinned
A valid signature isn't enough on its own. We also check the token was issued by us, for us — issuer and audience are pinned — so a token minted for somewhere else can't be replayed against stateful.
Magic links stay secret
Sign-in is passwordless. The one-time codes and magic-link secrets behind it are never returned in an API response — they exist to be used once, not to be read back.
You only ever see your own data.
Isolation isn't a policy we promise to follow — it's enforced in the database itself, on every read.
Row-Level Security on every table
Row-Level Security is turned on for every table in our database. The rules that decide what you can see live next to the data, so a query can't accidentally hand you a row you shouldn't have.
Space membership is checked on every read
You can only see Spaces you've been added to. There's no URL to guess, no ID to enumerate — if you aren't a member, the Space isn't reachable.
A request returns your world, and only yours
Any given request returns your own data and the Spaces you belong to — never a neighbor's. Isolation is the default the system falls back to, not an option it has to remember to apply.
Public pages expose only what you choose
When you publish a Space as a read-only page, anonymous visitors see a curated summary you chose to make public — never member lists, emails, or private fields. The rest stays invisible to anyone you didn't add.
Pango sees the Space, not your life.
The AI is powerful inside a Space and deliberately blind outside it. What it can act on is fenced, and what reaches it is screened first.
Scoped to one Space
Pango's view is the conversation, artifacts, and memories of that Space's members — nothing from your other Spaces. It can't pull a fact from one room into another.
Every message is screened first
Before the AI acts on a message, it passes through a safety layer — on every path, including live, streaming turns. There's no fast lane that skips the check.
Blocking actually blocks
Block someone and they're fully cut off — they can't message you, mention you, invite you, or reach you through the AI. Blocked means blocked, on every surface.
Guardrails on the things that get abused.
The sensitive actions — the ones spammers and bad actors reach for first — are rate-limited and watched.
Rate limits on sensitive actions
Connection requests, RSVPs, AI usage, and uploads carry rate limits and abuse guards, so no one can hammer them to spam people or run up cost.
Content safety & moderation
A content-safety and moderation layer sits across the product, and accounts that abuse it can be suspended. The shared spaces stay usable.
Your data, on your terms.
Control isn't a one-time consent screen. You can change what's remembered and what's shared whenever you like — and leaving takes your data with you.
Correct what Pango remembers
Everything the AI remembers about you is visible and editable. Fix it, refine it, or delete it — the change takes effect on the AI's next turn.
Control what's public
You decide your public profile, your notification preferences, and exactly what a shared Space exposes to people outside it. Nothing is shared by accident.
Delete means delete
Deleting your account cascades — it removes your connections, your blocks, and the related data tied to you. You can walk away cleanly.
Built on infrastructure you can name.
No mystery stack. We run on well-known managed providers, and your data is encrypted both in transit and at rest.
Cloudflare's edge + Supabase
The product runs on Cloudflare's edge network with Supabase (managed Postgres) for data. Both are operated by teams whose entire job is keeping infrastructure healthy.
Encrypted in transit and at rest
Traffic to stateful is served over HTTPS, so data is encrypted on the wire. At rest, the managed Postgres and storage layers encrypt your data on disk.
What we won't claim.
We're early, and we'd rather be precise than impressive. So a few things you'll notice we don't say:
- —We don't claim a formal compliance certification (SOC 2, HIPAA, ISO, “GDPR-certified”). We haven't been through those audits, so we won't put their badges on a page.
- —We don't claim end-to-end encryption of messages. Your data is encrypted in transit and at rest — that's true and worth saying — but it isn't E2EE, and we won't imply otherwise.
- —No “military-grade,” “unhackable,” or absolutes. No security is perfect; anyone who tells you theirs is should worry you more than reassure you.
As we move out of preview we'll publish a fuller security overview and a DPA for work customers. If you're evaluating stateful and need detail we haven't put here yet, email hello@stateful.com — we'll answer straight.
Plan something real.
Free to start, on web, iOS, and Android. No credit card.