PromptGuard is built with enterprise security requirements in mind. This page outlines our security practices, compliance status, and data handling policies.
Security Certifications Certification Status Details SOC 2 Type II In Progress Expected Q2 2026 GDPR Compliant EU data processing agreement available CCPA Compliant California consumer privacy rights ISO 27001 Planned On roadmap for 2026 HIPAA Available Enterprise tier with BAA
For enterprise customers requiring specific compliance certifications, contact sales@promptguard.co to discuss your requirements. Data Handling What Data We Process Data Type Processing Retention Prompts & Messages Scanned for threats in memory Not stored (pass-through) API Keys Encrypted at rest (AES-256) Until deleted Usage Metrics Aggregated counts 90 days Security Events Threat details logged 30 days (configurable) Audit Logs User actions 90 days
Data Flow Pass-Through Architecture PromptGuard operates as a pass-through proxy :
Prompts and responses are scanned in memory
Content is not stored after processing
Only metadata (timestamps, threat types, confidence scores) is logged
Your data never touches disk in unencrypted form
Security event logs may contain sanitized snippets of blocked content for debugging purposes. These are automatically purged after the retention period. Enterprise customers can disable content logging entirely.
Infrastructure Security Cloud Infrastructure Component Provider Security Compute Google Cloud Run Serverless, auto-scaling Database Supabase (PostgreSQL) Encrypted at rest, TLS in transit Secrets Google Secret Manager IAM-controlled access CDN/DDoS Google Cloud Armor Rate limiting, WAF DNS Cloudflare DDoS protection
Encryption Layer Standard In Transit TLS 1.3 At Rest AES-256 API Keys Argon2id hashing Secrets Google KMS
Network Security
All endpoints require HTTPS
Cloud Armor rate limiting (100 req/min per IP)
No public SSH access to infrastructure
VPC-based isolation between services
Private database connections (no public IP)
Access Control Authentication Methods Method Use Case API Key Server-to-server, SDK integrations Session (JWT) Dashboard access OAuth GitHub/Google SSO SAML/OIDC Enterprise SSO (Enterprise tier)
API Key Security
Keys are hashed with Argon2id before storage
Only the prefix (pg_xxxx...) is stored in plain text
Full key shown only once at creation
Keys can be rotated without downtime
Project-scoped API keys (no per-key permission types; tier gating via subscription)
Role-Based Access (Enterprise) Role Permissions Owner Full access, billing, delete organization Admin Manage users, projects, settings Member View projects, create API keys Viewer Read-only dashboard access
Audit Logging What’s Logged Event Details Captured Authentication Login, logout, failed attempts API Key Management Create, rotate, delete Project Changes Settings, policies, presets Security Events Blocked requests, threat types User Management Invites, role changes
Accessing Audit Logs
Go to Dashboard → Settings → Audit Logs
Filter by date range, event type, or user
Export as CSV or JSON
Log Export (Enterprise) Enterprise customers can configure:
SIEM Integration : Stream logs to Splunk, Datadog, etc.S3 Export : Daily log exports to your bucketWebhook : Real-time log forwarding
Incident Response Security Incident Process
Detection : Automated monitoring + manual reviewContainment : Isolate affected systemsInvestigation : Root cause analysisNotification : Affected customers notified within 72 hoursRemediation : Fix deployed, post-mortem published
Reporting Security Issues Found a vulnerability? Contact us:
Data Residency Current Regions Region Data Center US Google Cloud us-central1 (Iowa)
Planned Regions Region Status EU (Frankfurt)Q3 2026 APAC (Singapore)Q4 2026
Enterprise customers requiring specific data residency can request dedicated deployment in their preferred region.
Vendor Security Subprocessors Vendor Purpose Data Processed Google Cloud Infrastructure All data Supabase Database Metadata, logs Stripe Billing Payment info Resend Email Email addresses
LLM Providers PromptGuard forwards requests to your chosen LLM provider. We do not store data sent to:
OpenAI
Anthropic
Google AI
Cohere
AWS Bedrock
Azure OpenAI
Your data handling agreement is with each LLM provider directly.
Enterprise Security Features Available on the Enterprise tier:
Feature Description Self-Hosted Deployment Run PromptGuard in your own infrastructure Air-Gapped Mode Zero external network calls SSO (SAML/OIDC) Integrate with your IdP IP Allowlisting Restrict API access by IP Custom Data Retention Configure log retention periods Dedicated Support SLA-backed support with named contact Custom BAA HIPAA Business Associate Agreement
Security Questionnaire Need to complete a vendor security assessment? We provide:
CAIQ (Consensus Assessment Initiative Questionnaire)SIG Lite (Standardized Information Gathering)Custom Questionnaires (for Enterprise customers)
Contact security@promptguard.co for these documents.
Responsible Disclosure We appreciate security researchers who help keep PromptGuard secure:
Report the issue to security@promptguard.co Do not publicly disclose until we’ve addressed itProvide steps to reproduceAllow reasonable time for remediation (90 days)
Next Steps
Security Overview Learn about threat detection
Audit Logs Monitor user activity
Enterprise See Enterprise features
Contact Sales Discuss your requirements
