Security at pmly

Last updated: 10 June 2026

pmly handles the most sensitive thing a delivery professional owns: their client governance record. Security is not a feature we added — it is how the product is designed. This page explains our approach and the commitments we hold ourselves to.

This website

The site you are on (pmly.app) is a static marketing site. It contains no application logic, no database connection, and no access to any customer or project data. It is served over HTTPS with HSTS, and the pmly application is hosted separately and access-controlled. There is no path from this site into the product.

How the product is built to protect your data

The following describes the security model of the pmly application as we build it. Because pmly is in active development, treat these as our engineering commitments and design principles rather than a snapshot of a finished, audited system.

Tenant & engagement isolation

Every database table enforces row-level security. No query returns data without a matching, authenticated user context, and each engagement is isolated at the data layer — not merely hidden in the interface. A PM running several clients cannot see one client's data while working in another's, by design.

Encryption

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), applied throughout rather than only on selected fields.

Data residency

Customer data is stored on infrastructure in the UK / European Economic Area. Where any provider operates outside that region, we rely on recognised transfer safeguards.

Append-only audit trail

Decisions, changes, and document versions are recorded in an append-only history. Your governance record is intended to stand up to a difficult sponsor, a client audit, or a post-mortem months after an engagement ends.

File-upload security pipeline

Files you upload pass through a multi-stage pipeline — including antivirus scanning and an AI prompt-injection classifier — before they reach any processing or reach an AI model.

Network protection

Application traffic sits behind a web application firewall with DDoS mitigation and common-attack (OWASP Top 10) coverage, plus security headers on every response.

AI safety: it proposes, you approve

pmly's agents never write to your records on their own. The AI proposes; the human approves. Model inputs are screened for prompt injection, and AI-generated narrative is checked for groundedness against your actual data — numbers like earned value are calculated by the database, never invented by a model.

Access & least privilege

Internal access to systems follows least-privilege principles, and we never use elevated database credentials inside application code.

Commercial confidentiality

For engagements with a client portal, commercially sensitive figures are protected at the API level, not just hidden in the UI. For fixed-price work, budget data is simply absent from the API response; for time-and-materials, individual consultant rates are removed and only totals are shown. A client cannot reveal hidden figures by inspecting network traffic.

Reporting a vulnerability

We welcome responsible disclosure. If you believe you have found a security issue, please email hipmlyapp@hotmail.com with enough detail to reproduce it. Please give us a reasonable opportunity to investigate and fix the issue before any public disclosure, and do not access or modify data that is not yours. We will acknowledge your report and keep you updated.

Certifications & current status

pmly is in early access. We have not yet completed independent certifications such as SOC 2 or ISO 27001; we are building toward them and will publish our status here as we progress. If your organisation has specific security or due-diligence requirements, contact us at hipmlyapp@hotmail.com and we will share what we can.