Security

Security you can rely on

PromptLab is built for production. Your prompts, keys, and deployment pipeline are protected at every layer.

Prompt Privacy

  • Prompt content is isolated per organisation. No cross-tenant data access is possible by design.
  • Prompts are never used to train or fine-tune any AI model — yours or ours.
  • Version history is stored encrypted and accessible only to authenticated members of your workspace.

Encrypted Communication

  • All data in transit is encrypted using TLS 1.3. Older TLS versions are rejected.
  • API keys are hashed with bcrypt before storage. Plain-text keys are never persisted.
  • Webhook payloads are signed with HMAC-SHA256 so you can verify authenticity on your side.

Secure Infrastructure

  • Hosted on AWS with data residency in us-east-1 (US) and eu-west-1 (EU).
  • All persistent data is encrypted at rest using AES-256.
  • Automated daily backups with 30-day retention. Restore tested monthly.

Access Control

  • Role-based access control: Admin, Editor, and Viewer roles per workspace.
  • API keys are scoped — read-only, write, or deploy permissions. Principle of least privilege.
  • SSO via SAML 2.0 available on Pro plan. Enforce your organisation's identity provider.

Deployment Safety

  • Gradual rollouts enforce canary deployments — prompts never go to 100% traffic instantly.
  • Automated rollback triggers: define error-rate or quality-score thresholds. We revert automatically.
  • Deployment audit logs capture who changed what, when, and to which traffic percentage.

Compliance & Posture

  • SOC 2 Type II audit in progress. Report available to Pro customers under NDA.
  • GDPR-compliant data handling. Data Processing Agreement (DPA) available on request.
  • Internal security reviews conducted quarterly. Penetration test results available on request.
Responsible Disclosure

Found a vulnerability?

We take security reports seriously. If you discover a potential security issue, please email security@promptlab.dev with a description and reproduction steps. We will acknowledge within 24 hours and provide a resolution timeline.

We ask that you do not publicly disclose vulnerabilities until we have had a reasonable time to address them. We do not currently offer a formal bug bounty but will credit responsible reporters in our changelog.