Security, privacy, accuracy, in one place.
Most SaaS founders forward this page to their engineering team and procurement counterparts before they buy. We wrote it to be scannable in three minutes.
Encryption
TLS 1.3 in transit. AES-256 at rest. Per-customer encryption keys for any data we persist. Secrets in Hashicorp Vault, rotated quarterly.
Access controls
Role-based access for the Prism team. Production access logged and reviewed weekly. Customer data accessible only on explicit support request, with audit trail.
Data residency
EU-default. All customer data and check inputs/outputs stored on EU infrastructure (Vercel + Supabase EU regions). US/UK residency available on Enterprise.
Compliance
SOC 2 Type II audit in progress (target Q3 2026). GDPR-compliant by default. EU AI Act readiness work tracked publicly on the changelog.
Customer data policy
We do not train models on customer data. Period. Your check inputs and outputs are never used as training data. We rely entirely on consent-cleared public datasets and our opt-in calibration panel.
Incident response
Security incidents disclosed to affected customers within 72 hours. Full post-mortems published on the changelog. Bug bounty program active, see /security.
The instrument is audited monthly. Publicly.
Every cluster we serve is audited against named, dated, public ground-truth datasets. The accuracy score, the sample size, the dataset citation, and the last-audit date are visible on /validation. Clusters whose audit falls below 80% accuracy are paused automatically and affected customers are notified.
Every third party we send data to.
We'll notify you 30 days before adding a new sub-processor that touches customer data. To be added to the notification list, email trust@prism.ai.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel | Application hosting & edge runtime | EU |
| Supabase | Database & auth | EU (Frankfurt) |
| Anthropic | LLM inference (ensemble member) | US |
| OpenAI | LLM inference (ensemble member) | US/EU |
| Google AI Studio | LLM inference (ensemble member) | US/EU |
| Stripe | Payments & billing | Ireland |
| Resend | Transactional email | EU |
| PostHog (planned) | Product analytics | EU |
Need a DPA, security review, or pen-test summary?
Email security@prism.ai and we'll send the relevant documents within one working day. For deeper technical detail, see /security.