Prompts are intellectual property. We treat them that way — encrypted, auditable, deletable on request, and never used to train anyone's model.
SOC 2 Type II — in progress (Q3 target). GDPR & CCPA aligned. DPA available on request. HIPAA with BAA on the roadmap.
TLS 1.3 in transit. AES-256 at rest. Tenant-isolated row-level security on every table. Secrets stored in a managed vault.
SSO/SAML & SCIM (via WorkOS), RBAC across owner / admin / editor / member / reviewer / viewer / billing. Optional MFA enforcement, session policies, and IP allowlists.
Every prompt edit, run, share, role and policy change is logged with actor, IP, before/after diff — and exportable as CSV. Retention is configurable per data type.
US default. EU (Frankfurt) on the roadmap. Bring-your-own-key (BYOK) for OpenAI, Anthropic, and Google supported.
Prompts and outputs are never used to train AI models — ours, our gateway's, or any provider's. Contractually enforced with sub-processors.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, storage | US / EU |
| Cloudflare | Edge runtime, DDoS, CDN | Global |
| Lovable AI Gateway | Model routing | US |
| Resend | Transactional email | US |
| Stripe | Billing | US / EU |
Email security@prompsy.app — we reply within one business day.