Security & Compliance

Security at Promptsy

We take the security of your data seriously. Learn about the measures we take to protect your prompts and personal information.

Encryption at Rest

All data stored in our database is encrypted using AES-256 encryption. Your prompts are protected even at the storage level.

Encryption in Transit

All connections to Promptsy use TLS 1.3 encryption. Data is encrypted from your device to our servers.

Row-Level Security

Database access is protected by row-level security policies. Users can only access their own data.

Secure Authentication

We support email/password and OAuth authentication with secure session management and optional 2FA.

Infrastructure

Promptsy is built on a modern, secure infrastructure stack:

  • Supabase - SOC 2 Type II certified database and authentication platform
  • Cloudflare - Enterprise-grade CDN, DDoS protection, and WAF
  • Vercel - Secure, globally distributed edge infrastructure

All infrastructure providers maintain comprehensive security certifications and undergo regular third-party audits.

Data Handling

  • Your prompts are never used to train AI models
  • AI optimizations are processed through Cloudflare AI Gateway for security and privacy
  • Data is backed up regularly with point-in-time recovery
  • You can export or delete your data at any time

Compliance

GDPR

We comply with GDPR requirements for EU users, including data access, portability, and deletion rights.

CCPA

California residents have rights under CCPA to access, delete, and opt out of data sales.

Responsible Disclosure Program

Scope

In Scope

  • promptsy.dev (web application)
  • mcp.promptsy.dev (MCP server)
  • Chrome Extension (published version)
  • Authentication & authorization
  • API endpoints
  • Data access controls

Out of Scope

  • Third-party services (Supabase, Stripe, Cloudflare)
  • DoS/DDoS attacks
  • Social engineering or phishing
  • Self-XSS or theoretical issues without PoC
  • Missing headers on non-sensitive pages
  • Rate limit findings without impact

Testing Guidelines

  • Test only on your own account
  • Non-destructive testing only
  • Do not access or modify other users' data
  • Report promptly and coordinate disclosure
  • Do not disrupt service availability

What We're Looking For

High Priority

  • Authentication/authorization bypass
  • IDOR (Insecure Direct Object References)
  • SQL injection
  • Remote code execution
  • Privilege escalation
  • Stored/reflected XSS with impact

Informational

  • Missing security headers
  • Information disclosure (low impact)
  • Theoretical vulnerabilities

Our Commitment

  • Initial response within 3 business days
  • Triage and assessment within 10 business days
  • Fix timeline based on severity: Critical (7 days), High (30 days), Medium (90 days)
  • Coordinated public disclosure after fix is deployed

Safe Harbor

We will not pursue legal action against security researchers who make a good faith effort to follow this policy, avoid privacy violations and service disruption, and coordinate disclosure responsibly. We consider security research conducted consistent with this policy to be authorized.

We do not currently offer monetary rewards for vulnerability reports. We acknowledge researchers in our security hall of fame with their permission. A bug bounty program may be introduced in the future.

Report a Vulnerability

Found a security issue? Please email us with details about the vulnerability, steps to reproduce, and your contact information.

security@promptsy.dev