SOC 2 Type II In Progress

Trust & Security

At PromptFluent, security isn't an afterthought—it's foundational to how we build and operate our platform. Your prompt libraries represent your organization's intellectual approach to AI. We treat that responsibility seriously.

Last Updated: June 19, 2026

SOC 2 Type II Compliance

Current Status: In Progress

PromptFluent is actively pursuing SOC 2 Type II certification following the Trust Services Criteria for Security.

What This Means:

  • We have implemented controls aligned with SOC 2 requirements
  • We maintain documented security policies and procedures
  • We are building the audit trail required for Type II certification
  • We are targeting completion of our Type II observation period in Q3 2026

What We Have in Place

Control AreaStatusDetails
Access ControlsImplementedRole-based access, MFA required, quarterly access reviews
Data EncryptionImplementedAES-256 at rest, TLS 1.2+ in transit
Incident ResponseDocumentedFormal incident response plan with defined procedures
Vendor ManagementDocumentedVendor assessment and monitoring procedures
Change ManagementImplementedDocumented change procedures with approval workflows
Monitoring & LoggingImplementedSecurity event logging with defined retention

Data Protection

Encryption at Rest

All customer data is encrypted using AES-256 encryption. This includes:

  • Prompt libraries and content
  • Organization and team data
  • User account information
  • Backups and archives
Encryption in Transit

All data transmitted to and from PromptFluent is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and implement HTTP Strict Transport Security (HSTS).

Data Isolation

Each organization's data is logically isolated using row-level security policies. Your prompts and data are never accessible to other customers.

Your Data, Your Control

We Do NOT Use Your Private Content to Train Public AI Models

This is a core commitment:

Your private prompt libraries, proprietary business content, uploaded materials, team workspaces, and customer-specific outputs are never used to train public AI models, shared with other customers, published, or sold as customer-identifiable data.

This applies across:

  • All AI providers integrated with our platform
  • Any third-party services we use
  • Our recommendation and analytics systems — they never expose your private content to other customers

PromptFluent does use aggregated, de-identified, and/or anonymized platform-usage and AI-execution telemetry to operate and improve the Service — recommendations, benchmarks, and research into AI execution trends — without exposing any individual customer’s confidential content. See our Privacy Policy for what we may analyze and what we never share, and our Data Processing Agreement for enterprise terms.

Data Portability

You can export your prompt libraries at any time in standard formats (XLSX, JSON).

Data Deletion

Upon account termination or request:

  • We provide a 30-day window to export your data
  • After 30 days, all customer data is permanently deleted
  • We provide written confirmation of deletion upon request

Access Control

Authentication
  • Multi-factor authentication (MFA) available and recommended for all accounts
  • Strong password requirements enforced
  • Session management with automatic timeout
  • SSO integration available for enterprise plans (SAML 2.0, OpenID Connect)
Authorization
  • Role-based access control (RBAC)
  • Granular permissions: Viewer, Contributor, Reviewer, Admin
  • Principle of least privilege enforced
  • Quarterly access reviews conducted

Infrastructure Security

Hosting

PromptFluent is hosted on enterprise-grade cloud infrastructure:

ComponentProviderCertifications
Application HostingVercelSOC 2 Type II
DatabaseSupabase (AWS/GCP)Runs on SOC 2 certified infrastructure
CDN/EdgeVercel Edge NetworkSOC 2 Type II
Network Security
  • Web Application Firewall (WAF) protection
  • DDoS mitigation
  • Rate limiting on all API endpoints
  • Regular security scanning

Incident Response

We maintain a formal Incident Response Plan that includes:

  • Detection:Continuous monitoring and alerting
  • Classification:Severity-based incident categorization
  • Response:Defined procedures for containment and eradication
  • Communication:Customer notification within 72 hours for incidents affecting customer data
  • Recovery:Documented recovery procedures
  • Post-Incident:Root cause analysis and continuous improvement
Contact for Security Concerns

If you discover a potential security vulnerability:

Vendor Management

We maintain a formal vendor management program that includes:

  • Security assessment before engagement
  • Data Processing Agreements (DPAs) with all vendors accessing customer data
  • Regular review of vendor security posture
  • Sub-processor notification and management
Key Sub-Processors
VendorPurposeLocation
SupabaseDatabase hostingUS/EU (selectable)
VercelApplication hostingGlobal (US primary)
StripePayment processingUS

Business Continuity

Backups
  • Daily automated backups
  • Backups encrypted with AES-256
  • Geographically separate backup storage
  • Tested quarterly
Availability
  • Target uptime: 99.9%
  • Status page: status.promptfluent.com
  • Incident communication via status page and email

Compliance

Current
  • GDPR compliant (for EU customers)
  • CCPA compliant (for California residents)
  • SOC 2 Type II controls implemented (certification in progress)
Roadmap
  • SOC 2 Type II certification: Target Q3 2026
  • Additional compliance frameworks evaluated based on customer needs
Documentation Available Upon Request

For enterprise customers and prospects, we can provide:

  • Security questionnaire responses
  • Data Processing Agreement (DPA)
  • Penetration test summary (when available)
  • SOC 2 Type II report (when available)

Contact: sales@promptfluent.com

Frequently Asked Questions

This page reflects our security practices as of June 19, 2026. We continuously improve our security posture and update this page accordingly.