Skip to content

Security

Last updated: February 15, 2026

Introduction

Security is foundational to everything we build at PromptOT. Your prompts are core intellectual property, and we treat their protection with the highest priority. This page outlines the security measures we implement across our infrastructure, application, and operational practices.

Infrastructure Security

PromptOT is hosted on Railway with Supabase as our database and authentication provider. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2+. Our infrastructure is deployed in secure, SOC 2 compliant data centers with physical security controls, redundant power, and network isolation.

Authentication

We use Supabase Auth for identity management, supporting passwordless email OTP (one-time password) authentication as well as OAuth providers including GitHub and Google. User sessions are managed with short-lived JWT tokens that are automatically refreshed. All authentication flows are conducted over encrypted connections.

API Security

API keys used for prompt delivery are hashed using SHA-256 before storage — we never store API keys in plain text. Each API key is scoped to an environment: production keys return published prompt versions, while development keys return the latest draft. Keys can be revoked at any time from the dashboard.

Data Protection

All 16 database tables are protected by Row Level Security (RLS) policies, ensuring that users can only access data belonging to their organization. The service role key, which bypasses RLS, is used exclusively on the server side and is never exposed to clients. Database access is logged and monitored for anomalous patterns.

Webhook Security

All webhook payloads are signed using HMAC-SHA256 with a per-project secret. The signature is included in the X-PromptOT-Signature header, allowing you to verify that webhook deliveries originate from PromptOT and have not been tampered with in transit.

Access Control

PromptOT uses organization-based access control with role-based permissions. Organizations support four roles: Owner, Admin, Member, and Viewer. Each role has carefully scoped permissions that control access to projects, prompts, API keys, and organization settings. Project-level access controls provide additional granularity within organizations.

Compliance

We are actively working towards SOC 2 Type II certification. Our data handling practices are designed with GDPR awareness, including data minimization, right to deletion, and data export capabilities. We regularly review and update our security practices to align with industry standards and regulatory requirements.

Responsible Disclosure

We take security vulnerabilities seriously and appreciate the efforts of security researchers. If you discover a security issue, please report it to security@promptot.com. We commit to acknowledging your report within 48 hours and will work with you to understand and address the issue promptly. Please avoid public disclosure until we have had a reasonable opportunity to investigate and remediate.

Bug Bounty

We are planning to launch a formal bug bounty program to reward security researchers who help us identify and fix vulnerabilities. If you are interested in participating or would like to be notified when the program launches, please reach out to security@promptot.com.