Sandbox Isolation
Code execution in each conversation runs in an independent cloud container, achieving process-level isolation:Cloud Sandbox
Each conversation session gets an independent container environment. Your code never shares a runtime with other users — containers are fully isolated from each other.
Desktop Sandbox
Profy Desktop uses Seatbelt sandbox technology on macOS, providing two security profiles — network access is disabled by default and switched to a network-enabled profile when connectivity is needed.
Data Protection
Transport encryption
Transport encryption
All data is transmitted over HTTPS/TLS encryption. Communication between client and server, as well as between internal microservices, is protected by encryption.
Storage encryption
Storage encryption
User files are stored in object storage with server-side encryption enabled. Clients never directly touch storage credentials — all file access uses temporary pre-signed URLs with time-limited validity.
Credential security
Credential security
Knowledge base connector credentials are encrypted at rest and never exposed in API responses. API Keys are stored using SHA-256 hashes — the plaintext is shown once at creation time, after which the system only retains the hash.
Intellectual Property Protection
An Expert’s cognitive distillation results — mental models, decision heuristics, skill documents — are the creator’s core assets. Profy provides multi-layer protection:1
Internalized, not exposed
The cognitive structures produced by distillation are internalized as the Expert’s runtime behavior and cannot be exported as raw prompt text. Users can only converse with the Expert — they cannot “download” the Expert’s persona.
2
Skills are not reverse-engineerable
An Expert’s skill documents guide AI behavior but are never directly output during conversations. Users experience the Expert’s capabilities, not the underlying skill definitions.
3
Dual-track version review
New versions of published Experts must go through review before release. During review, the old version remains online while the new version is reviewed independently, ensuring published content always remains controlled.
Memory Isolation
Each Expert’s memory is strictly isolated by user:- User A’s memory with Expert X ≠ User B’s memory with Expert X
- User A’s memory with Expert X ≠ User A’s memory with Expert Y
- Cross-boundary access always returns 404 (non-enumerable — it’s impossible to probe whether someone else has memories)
Temporary conversation mode (skip_memory) ensures the current conversation neither reads existing memories nor creates any new persistent traces. Suitable for handling sensitive topics.
Authentication & Permissions
Profy provides a dual-track authentication system and fine-grained access control:Dual-Track Authentication
API Keys use the
sk-pro- prefix and are stored with SHA-256 hashing. OAuth uses the standard Authorization Code Flow, with time-limited Access Tokens and Refresh Tokens with automatic rotation.
Permission Model
RBAC custom roles
RBAC custom roles
Platform administrators can create custom roles by selecting permissions from a module-based permission tree, then assign them to team members. Every admin page has a dedicated permission code gate — having a role doesn’t mean having access to all pages.
Team permissions
Team permissions
Team management permissions are based on member roles (owner/admin/member), independent from platform roles. A team owner can manage their own team even without being a platform administrator.
Session isolation
Session isolation
Billing context uses request-level context variables to prevent session data cross-talk between concurrent requests. Different users’ conversations, files, and billing are completely isolated at the system level.
File Security
Pre-signed URLs
File access is performed through temporary pre-signed URLs with time-limited validity. Clients never directly hold storage credentials.
Per-user isolation
Each user’s files are stored under an independent namespace. File access requires identity authentication — it’s impossible to access other users’ files by guessing URLs.

