SOC 2 Type II In Progress

Trust & Security

At PromptFluent, security isn't an afterthought—it's foundational to how we build and operate our platform. Your prompt libraries represent your organization's intellectual approach to AI. We treat that responsibility seriously.

Last Updated: January 21, 2026

SOC 2 Type II Compliance

Current Status: In Progress

PromptFluent is actively pursuing SOC 2 Type II certification following the Trust Services Criteria for Security.

What This Means:

  • We have implemented controls aligned with SOC 2 requirements
  • We maintain documented security policies and procedures
  • We are building the audit trail required for Type II certification
  • We expect to complete our Type II observation period in Q3 2026

What We Have in Place

Control AreaStatusDetails
Access ControlsImplementedRole-based access, MFA required, quarterly access reviews
Data EncryptionImplementedAES-256 at rest, TLS 1.2+ in transit
Incident ResponseDocumentedFormal incident response plan with defined procedures
Vendor ManagementDocumentedVendor assessment and monitoring procedures
Change ManagementImplementedDocumented change procedures with approval workflows
Monitoring & LoggingImplementedSecurity event logging with defined retention

Data Protection

Encryption at Rest

All customer data is encrypted using AES-256 encryption. This includes:

  • Prompt libraries and content
  • Organization and team data
  • User account information
  • Backups and archives
Encryption in Transit

All data transmitted to and from PromptFluent is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and implement HTTP Strict Transport Security (HSTS).

Data Isolation

Each organization's data is logically isolated using row-level security policies. Your prompts and data are never accessible to other customers.

Your Data, Your Control

We Do NOT Use Customer Data to Train AI Models

This is a core commitment:

Customer prompt libraries, usage data, and any content created or stored within the PromptFluent platform is never used to train machine learning models, improve AI algorithms, or for any purpose other than delivering the PromptFluent service to that specific customer.

This applies to:

  • All AI providers integrated with our platform
  • Our own analytics and improvement processes
  • Any third-party services we use
Data Portability

You can export your prompt libraries at any time in standard formats (XLSX, JSON).

Data Deletion

Upon account termination or request:

  • We provide a 30-day window to export your data
  • After 30 days, all customer data is permanently deleted
  • We provide written confirmation of deletion upon request

Access Control

Authentication
  • Multi-factor authentication (MFA) available and recommended for all accounts
  • Strong password requirements enforced
  • Session management with automatic timeout
  • SSO integration available for enterprise plans (SAML 2.0, OpenID Connect)
Authorization
  • Role-based access control (RBAC)
  • Granular permissions: Viewer, Contributor, Reviewer, Admin
  • Principle of least privilege enforced
  • Quarterly access reviews conducted

Infrastructure Security

Hosting

PromptFluent is hosted on enterprise-grade cloud infrastructure:

ComponentProviderCertifications
Application HostingVercelSOC 2 Type II
DatabaseSupabase (AWS/GCP)Runs on SOC 2 certified infrastructure
CDN/EdgeVercel Edge NetworkSOC 2 Type II
Network Security
  • Web Application Firewall (WAF) protection
  • DDoS mitigation
  • Rate limiting on all API endpoints
  • Regular security scanning

Incident Response

We maintain a formal Incident Response Plan that includes:

  • Detection:Continuous monitoring and alerting
  • Classification:Severity-based incident categorization
  • Response:Defined procedures for containment and eradication
  • Communication:Customer notification within 72 hours for incidents affecting customer data
  • Recovery:Documented recovery procedures
  • Post-Incident:Root cause analysis and continuous improvement
Contact for Security Concerns

If you discover a potential security vulnerability:

Vendor Management

We maintain a formal vendor management program that includes:

  • Security assessment before engagement
  • Data Processing Agreements (DPAs) with all vendors accessing customer data
  • Regular review of vendor security posture
  • Sub-processor notification and management
Key Sub-Processors
VendorPurposeLocation
SupabaseDatabase hostingUS/EU (selectable)
VercelApplication hostingGlobal (US primary)
StripePayment processingUS

Business Continuity

Backups
  • Daily automated backups
  • Backups encrypted with AES-256
  • Geographically separate backup storage
  • Tested quarterly
Availability
  • Target uptime: 99.9%
  • Status page: status.promptfluent.com
  • Incident communication via status page and email

Compliance

Current
  • GDPR compliant (for EU customers)
  • CCPA compliant (for California residents)
  • SOC 2 Type II controls implemented (certification in progress)
Roadmap
  • SOC 2 Type II certification: Target Q3 2026
  • Additional compliance frameworks evaluated based on customer needs
Documentation Available Upon Request

For enterprise customers and prospects, we can provide:

  • Security questionnaire responses
  • Data Processing Agreement (DPA)
  • Penetration test summary (when available)
  • SOC 2 Type II report (when available)

Contact: sales@promptfluent.com

Frequently Asked Questions

This page reflects our security practices as of January 21, 2026. We continuously improve our security posture and update this page accordingly.