Skip to main content
Prospct.io
Home/Legal

Security

Last updated: July 1, 2026

This page is maintained by Prospct.io to answer common security questions about our platform. It describes practices we operate today and the shared responsibilities between Prospct.io, our infrastructure providers, and our customers.

Infrastructure

The Prospct.io platform runs on hardened cloud infrastructure with multi-region redundancy, DDoS protection at the edge, isolated network environments and continuous vulnerability scanning at the operating-system and container layers.

Encryption

  • All data in transit is encrypted with TLS 1.2 or higher.
  • All data at rest is encrypted with AES-256.
  • Secrets are stored in a managed key vault with automatic rotation.

Access Controls

  • Role-based access control (RBAC) inside the platform.
  • Single sign-on (SSO) available on enterprise plans.
  • Multi-factor authentication (MFA) for internal staff accessing production systems.
  • Least-privilege access with periodic review.

Monitoring & Logging

We centralize application, infrastructure and security logs. Alerts route to an on-call rotation 24/7. Anomaly detection covers authentication, API traffic and privileged actions.

Compliance

Prospct.io operates under GDPR and CCPA frameworks and offers a Data Processing Agreement to customers on request. We continually invest in our compliance posture — the current status of certifications, along with any active audit reports, is available on request from security@prospct.io.

Resilience & Backups

Databases are backed up daily with point-in-time recovery. Backups are encrypted and geographically replicated. We test restore procedures on a regular schedule.

Secure Development

  • Peer code review required for every change reaching production.
  • Automated dependency scanning and secret scanning in CI.
  • Segregated staging and production environments.
  • Security training for engineering staff.

Incident Response

We maintain a documented incident response plan with defined severity levels, on-call rotation, forensic capture and customer-notification procedures. Confirmed incidents affecting customer data are communicated without undue delay.

Subprocessors

Prospct.io uses a limited set of vetted subprocessors to deliver our platform. Each is bound by a Data Processing Agreement (DPA) and reviewed on an annual basis for security posture and privacy compliance. Public DPAs from each subprocessor are linked below.

SubprocessorPurposeLocationDPA
Amazon Web Services (AWS)Primary application & database hostingUS / EUView DPA
Google Cloud PlatformData processing & warehousingUS / EUView DPA
CloudflareCDN, DDoS protection & DNSGlobal edgeView DPA
SupabaseManaged Postgres, auth & storageUS / EUView DPA
StripePayment processing & billingUSView DPA
ResendTransactional email deliveryUSView DPA
SentryError monitoring & performance tracingUSView DPA
Slack TechnologiesInternal alerting & customer notificationsUSView DPA
HubSpotCRM & customer support ticketsUS / EUView DPA
Google WorkspaceBusiness email & document collaborationUS / EUView DPA

Customers may subscribe to updates on subprocessor changes by writing to security@prospct.io. We provide at least 30 days notice before adding a new subprocessor that processes customer data.

Platform Status

Real-time uptime, incidents and scheduled maintenance for the Prospct.io API, dashboard and integrations are published on our public status page: status.prospct.io. Subscribe there for incident notifications by email, SMS or RSS.

Vulnerability Disclosure

Found something? Please email security@prospct.io with a description and reproduction steps. We acknowledge reports within 2 business days and coordinate a remediation timeline with the reporter.

Shared Responsibility

Prospct.io secures the platform and underlying infrastructure. Customers are responsible for protecting their credentials, choosing strong passwords, enabling MFA where available, and managing role assignments inside their workspace.

Questions about this document? Email legal@prospct.io or visit our contact page.