Pascaline

Trust & diligence

Security & data posture

A plain-language security & data posture for platform and enterprise diligence — written to be honest about what is in place today and what is on the roadmap.

What we store — and don't

The calculation path is pure: a request's financial inputs are computed in memory and returned, and are not persisted. The database holds only accounts, API keys, and usage/telemetry metadata — never calculation inputs or results. Product telemetry records a request's shape (the sorted top-level field names) but never any values, so it carries no PII by construction.

Authentication & access

API keys are presented as keyId.secret; only a SHA-256 hash of the secret is stored, so a database compromise never yields a usable key. Accounts use a self-hosted auth library with signed session cookies. Administrative endpoints require a separate token compared in constant time and are never authenticated by a URL parameter (which would leak into logs); browser access uses an HttpOnly, Secure, SameSite=Strict cookie.

Secrets

All secrets live in an environment file on the server that is never committed to source control. Third-party keys are scoped to least privilege (for example, a send-only email key). Mutating portal actions are protected against CSRF with same-origin checks in addition to the session cookie.

Determinism as a security property

No language model touches any calculation or API path. There is no dynamic code execution in the calculation surface, so there is no prompt-injection or code-injection vector to exploit, and every result is fully reproducible and auditable from its inputs, parameter vintage, and cited sources.

Availability & monitoring

The service runs as a managed process behind a reverse proxy with TLS. A fast liveness probe (/health) and a deep readiness check (/ready, which reports a degraded state and a 503 when a dependency or data feed is stale) back external monitoring. Error tracking and a cron dead-man's-switch are wired and activated per environment. Roadmap: a formal, tested database backup/restore procedure.

Privacy

We do not sell personal data. Analytics runs only on public marketing pages — never in the authenticated portal or in embedded calculators. Every calculation response carries its statute citations and parameter vintage so results are independently checkable.

Sub-processors

Transactional email (Resend), payments when billing activates (Stripe), and a self-managed application server. The list is kept current here.

Reporting & attestations

Report a security concern to hello@pascaline.io. Pascaline is not yet SOC 2 audited; this page describes the operating posture, and we are glad to complete a security questionnaire for platform or enterprise partners.

Last updated 2026-07-06.