Legal

Security Overview

How Katalyst Persuasion OS protects platform access, user data, and proprietary seed content.

Last updated: May 22, 2026  |  Operated by Katalyst Consulting

This page is a working policy draft and should be reviewed by qualified counsel before final legal reliance. This overview describes our current security posture, not a certified security program.

1. Authentication and Access Control

All authenticated routes in Katalyst Persuasion OS require a valid JSON Web Token (JWT). Sessions are not persistent beyond the token expiry window.

  • Admin and super-admin routes are role-gated and inaccessible to standard user accounts
  • Users can only access their own generated outputs, history, and memory bank records
  • Admin access to user accounts is logged in an immutable audit table
  • Forced password change is enforced server-side for flagged accounts

2. Proprietary Seed and Payload Content

Katalyst's runtime seed brain — the AI-assisted objection intelligence framework — is proprietary content. It is not publicly exposed.

  • Raw seed JSON is never returned to unauthenticated users
  • Admin seed library routes require super-admin role
  • Seed brain payload uploads are rate-limited and restricted to authorized admins
  • Payload size limits and JSON safety checks (prototype pollution, path traversal) are enforced on all uploads
  • SHA256 checksums are generated on upload and promotion
  • Append-only audit logs are maintained for all payload operations

No raw seed or payload content is publicly served or accessible via public API endpoints.

3. Data Handling

User-generated content (objection inputs, sales snapshots, follow-up requests) is stored in a managed PostgreSQL database hosted on Neon. Data is associated with the authenticated user account that created it.

  • Passwords are hashed using PBKDF2 with per-user salts — plaintext passwords are never stored or logged
  • OAuth tokens for service connections are encrypted at rest using AES-256-GCM
  • Buyer intent data is stored with IP address truncation (first three octets only) and SHA256-hashed IP fingerprints
  • No plaintext passwords, raw API keys, or auth secrets are ever stored in logs or database fields

4. Email and API Key Security

Sensitive credentials (email API keys, external service tokens) are stored as environment variables on the hosting platform. They are not stored in the application database, repo, or any publicly accessible file.

  • Email API keys are provisioned by platform operations — not stored in application code
  • API key presence is checked by a status endpoint (returns boolean only — never the key value)
  • Exposed or burned keys are rotated immediately upon discovery

5. Compliance-Aware, Not Compliance-Certified

Katalyst Persuasion OS is designed with awareness of regulated industries including debt relief, collections, healthcare, and financial services. The platform enforces compliance-aware guardrails in AI output generation.

However, Katalyst is not a certified compliance program. Outputs should not be used as final compliance documentation without review by qualified counsel or your compliance team.

6. Hostile Content Classification

All generation endpoints (Objection Intelligence, Quick Rebuttal, Follow-Up) include a pre-flight hostile content classifier. Inputs classified as crisis, do-not-contact, verbal abuse, discrimination, or other harmful categories are intercepted before AI generation and routed to safe action guidance instead.

7. Responsible Disclosure

If you discover a security vulnerability in the Katalyst platform, please report it responsibly before public disclosure. Contact us at info@katalystconsulting.io with a description of the issue. We will respond within 2 business days.

Security Concerns

Report vulnerabilities responsibly — we will respond promptly.

info@katalystconsulting.io

Related policies: Privacy Policy · Terms of Use · Refund Policy · Acceptable Use · Strategy Kit Terms