Infrastructure
The Prospct.io platform runs on hardened cloud infrastructure with multi-region redundancy, DDoS protection at the edge, isolated network environments and continuous vulnerability scanning at the operating-system and container layers.
Encryption
- All data in transit is encrypted with TLS 1.2 or higher.
- All data at rest is encrypted with AES-256.
- Secrets are stored in a managed key vault with automatic rotation.
Access Controls
- Role-based access control (RBAC) inside the platform.
- Single sign-on (SSO) available on enterprise plans.
- Multi-factor authentication (MFA) for internal staff accessing production systems.
- Least-privilege access with periodic review.
Monitoring & Logging
We centralize application, infrastructure and security logs. Alerts route to an on-call rotation 24/7. Anomaly detection covers authentication, API traffic and privileged actions.
Compliance
Prospct.io operates under GDPR and CCPA frameworks and offers a Data Processing Agreement to customers on request. We continually invest in our compliance posture — the current status of certifications, along with any active audit reports, is available on request from security@prospct.io.
Resilience & Backups
Databases are backed up daily with point-in-time recovery. Backups are encrypted and geographically replicated. We test restore procedures on a regular schedule.
Secure Development
- Peer code review required for every change reaching production.
- Automated dependency scanning and secret scanning in CI.
- Segregated staging and production environments.
- Security training for engineering staff.
Incident Response
We maintain a documented incident response plan with defined severity levels, on-call rotation, forensic capture and customer-notification procedures. Confirmed incidents affecting customer data are communicated without undue delay.
Subprocessors
Prospct.io uses a limited set of vetted subprocessors to deliver our platform. Each is bound by a Data Processing Agreement (DPA) and reviewed on an annual basis for security posture and privacy compliance. Public DPAs from each subprocessor are linked below.
| Subprocessor | Purpose | Location | DPA |
|---|---|---|---|
| Amazon Web Services (AWS) | Primary application & database hosting | US / EU | View DPA |
| Google Cloud Platform | Data processing & warehousing | US / EU | View DPA |
| Cloudflare | CDN, DDoS protection & DNS | Global edge | View DPA |
| Supabase | Managed Postgres, auth & storage | US / EU | View DPA |
| Stripe | Payment processing & billing | US | View DPA |
| Resend | Transactional email delivery | US | View DPA |
| Sentry | Error monitoring & performance tracing | US | View DPA |
| Slack Technologies | Internal alerting & customer notifications | US | View DPA |
| HubSpot | CRM & customer support tickets | US / EU | View DPA |
| Google Workspace | Business email & document collaboration | US / EU | View DPA |
Customers may subscribe to updates on subprocessor changes by writing to security@prospct.io. We provide at least 30 days notice before adding a new subprocessor that processes customer data.
Platform Status
Real-time uptime, incidents and scheduled maintenance for the Prospct.io API, dashboard and integrations are published on our public status page: status.prospct.io. Subscribe there for incident notifications by email, SMS or RSS.
Vulnerability Disclosure
Found something? Please email security@prospct.io with a description and reproduction steps. We acknowledge reports within 2 business days and coordinate a remediation timeline with the reporter.
