Security

1. Our Commitment

We are committed to protecting the confidentiality, integrity, and availability of your data. We build PropAI on trusted, security-focused infrastructure providers, apply the principle of least privilege throughout our systems, and work to ensure that your proposals and personal information remain yours alone.

2. Infrastructure

• Hosting: PropAI is hosted on Vercel, which is SOC 2 Type II compliant. Vercel's infrastructure is designed for high availability and security.
• Database and storage: Your data is stored in Supabase, with row-level security (RLS) enabled on all tables. RLS ensures that database queries are restricted to your own data — even at the database layer, one user cannot access another's records.
• Encryption in transit: All communication between your browser and our servers is encrypted using TLS 1.2 or higher. Data is never transmitted in plain text.
• Encryption at rest: All data stored in Supabase — including your profile, proposals, and uploaded files — is encrypted at rest using AES-256.

3. Authentication

• Password hashing: If you sign up with an email and password, your password is hashed using bcrypt via Supabase Auth before storage. We never store plain-text passwords.
• OAuth sign-in: You may sign in using Google or Facebook OAuth. In this case, we never see or store your OAuth provider password — only your name and email address as shared by the provider.
• Session tokens: Session tokens are short-lived and automatically rotated. Refresh tokens are used to renew sessions securely without requiring you to re-enter your password.

4. File Storage

• Files you upload (documents, images, etc.) are stored in private, per-user storage buckets in Supabase Storage.
• Row-level security policies prevent any cross-user access — your files are accessible only to your account.
• Files are never shared with other users of the platform, and are not used to train AI models.
• Storage bucket access requires a valid authenticated session token; unauthenticated requests are rejected.

5. Payment Security

• All payment processing is handled entirely by Stripe, which is certified to PCI DSS Level 1 — the highest level of compliance in the payment card industry.
• PropAI never sees, handles, or stores your full card number, CVV, or other sensitive payment credentials. These are entered directly into Stripe's secure payment interface.
• We receive only limited billing metadata from Stripe (such as your plan type, subscription status, and the last four digits of your card) for account management purposes.

6. AI Processing

• When you generate or revise a proposal, your content and any uploaded files are sent to the Anthropic Claude API over an encrypted HTTPS connection.
• Per Anthropic's enterprise API policy, Anthropic does not use data submitted via the API to train its models. Your proposal content and uploaded files are not used to improve Anthropic's AI systems.
• API requests are authenticated with a server-side key that is never exposed to the browser or client-side code.

7. Responsible Disclosure

We appreciate the work of security researchers and the broader community in helping keep PropAI secure. If you discover a security vulnerability in our platform, please disclose it to us responsibly:

• Email us at support@propai-proposals.com with “Security” in the subject line.
• Include a description of the vulnerability, steps to reproduce it, and any potential impact you have identified.
• Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it.

We aim to acknowledge all security reports within 48 hours and will keep you informed as we work to resolve the issue.

8. Limitations

Despite our best efforts, no system is 100% secure. We cannot guarantee absolute security against all threats, including sophisticated attacks by determined adversaries, zero-day vulnerabilities in third-party software, or events beyond our reasonable control.

We recommend that you use a strong, unique password for your PropAI account, keep your login credentials confidential, and contact us immediately at support@propai-proposals.com if you suspect your account has been compromised.

9. Contact

For security concerns or questions about this page, please contact us at: