← Back to PromptSpotter

Security

Last updated: 19 May 2026 · v1.0 — effective 19 May 2026

PromptSpotter is built to prevent sensitive data from leaving your browser. The same architecture that protects your users from over-sharing also limits what we ourselves could possibly leak. This page summarises the security commitments behind the Service.

Architectural commitments

  • Prompt content never leaves the browser. Detection runs entirely on the user's device. Our event-log database has no columns that could hold prompt text — this is a structural property, not just a policy.
  • Server-side validators reject text-content fields. If a future code change accidentally tried to send prompt text, the API would reject the payload with HTTP 400. We have automated tests for this.
  • Append-only audit log. No API or admin interface can modify or delete event records after they're written.
  • Per-company install tokens with revocation as a first-class admin action. Revoked tokens stop working immediately.
  • Tenant isolation enforced at the application layer; every query is scoped by company ID.

Operational controls

DomainMeasure
Encryption in transitTLS 1.2+ enforced across all endpoints
Encryption at restAES-256 at our database and hosting providers
AuthenticationMagic-link sign-in for admin console; Bearer tokens scoped per-company for the extension
AuthorizationPer-row company-scoped queries; install-token revocation
LoggingAll access to Personal Data is logged; logs retained for 12 months
Vulnerability managementAutomated dependency scanning; critical CVEs patched within 7 days
Subprocessor oversightAnnual review; current list always available
Incident responseDocumented runbook; 72-hour customer notification commitment

SOC 2 status

We do not currently hold a SOC 2 Type II report. We are working toward one with a target of Q4 2027. A full readiness statement — including which Trust Services Criteria controls are already in place and which are on the roadmap — is available under NDA on request.

Report a vulnerability

If you believe you have discovered a vulnerability in the PromptSpotter Service, please write to info@promptspotter.com. We will acknowledge receipt within one business day and provide an initial assessment within five.

We do not currently operate a paid bug-bounty programme, but we recognize good-faith research publicly with the reporter's consent.

Compliance documents available on request

  • Data Processing Agreement (GDPR Article 28) — counter-signed copies available on request
  • SOC 2 readiness statement
  • Data flow diagram showing every trust boundary the Service crosses
  • Sub-processor list (also published at /subprocessors)

Email info@promptspotter.com with a brief note about your use case and we will send the requested documents within two business days.

Related documents