Promptic GmbH
Security and TOMs
Effective date: May 15, 2026
This page describes Promptic's technical and organizational measures. It also serves as the TOMs reference for Promptic's Data Processing Addendum unless a separate agreement states otherwise.
1. Security program
Promptic applies privacy-by-design and security-by-design principles to the service. The controls below are designed to protect account data, customer content, traces, model provider credentials, billing data, and operational telemetry against unauthorized access, disclosure, alteration, and loss.
2. Technical and organizational measures
| Control area | Measures |
|---|---|
| Access control | Role-based organization and workspace access, least-privilege administrative access, authenticated dashboard access, API key verification for trace ingestion, and permission checks before workspace, billing, and organization actions. |
| Authentication | Better Auth-based email/password, email OTP, social OAuth, email verification, device authorization, session management, session cookie cache, invitation controls, and token expiry. |
| Data segregation | Workspace and organization scoping, database row-level security patterns, repository-level authorization checks, and separation between customer workspaces. |
| Encryption and secrets | TLS for data in transit, encrypted provider secrets before database storage, Azure Key Vault for production secrets, restricted environment variables, and support for customer-provided model API keys. |
| Infrastructure location | Core production infrastructure is configured with an EU focus where available: Vercel serverless functions in Frankfurt, Neon PostgreSQL in Azure Germany West Central, Azure resources primarily in West Europe, and Promptic's OpenAI project configured for Europe for platform OpenAI processing. |
| AI processing controls | Platform OpenAI processing uses Promptic's OpenAI project configured for Europe and OpenAI API data controls, including no default training on API inputs and outputs and Modified Abuse Monitoring for eligible API processing. Customer-selected providers are used only on Customer instruction or configuration. |
| Logging and monitoring | Operational logs, application diagnostics, monitoring, uptime checks, incident response tooling, and error tracking through configured providers including Better Stack and optional Azure Monitor/Application Insights. |
| Availability and resilience | Managed hosting, PostgreSQL point-in-time restore configuration, Azure Service Bus queues, backend worker retry controls, backup and disaster-recovery practices, and infrastructure-as-code management. |
| Data minimization | Promptic asks customers not to submit special category data, criminal-offence data, protected health information, payment card numbers, government identifiers, secrets, or other highly sensitive data unless expressly agreed in writing. |
| Vendor management | Use of subprocessors with published privacy/security terms, DPAs where available, transfer safeguards, and ongoing review of material service providers listed on the subprocessor page. |
| Secure development | Type checking and linting workflows, dependency management through package managers, code review expectations, scoped database access patterns, rate limiting, input validation, and environment-specific configuration. |
| Incident response | Monitoring, investigation, containment, communication, and remediation workflows. Customers are notified without undue delay after Promptic becomes aware of a personal data breach affecting Customer Personal Data. |
3. Retention and deletion controls
- Customer content and traces are retained while the relevant workspace or account remains active, until deleted in-product, or as instructed by Customer.
- Active-system deletion is processed promptly. Encrypted backup and disaster-recovery copies are targeted for expiry within 90 days unless legal preservation, security investigation, or statutory retention is required.
- Azure Service Bus production job messages are configured with one-day retention; the audit/debug subscription is configured with seven-day retention.
- Security logs and diagnostics are normally retained for up to 180 days unless needed longer for incident, fraud, abuse, legal, or integrity reasons.
4. Customer responsibilities
Customers are responsible for protecting their credentials, configuring access permissions carefully, rotating API keys when needed, choosing appropriate model providers, reviewing BYOK/custom-provider terms, and avoiding unnecessary personal or sensitive data in prompts, datasets, traces, and provider configurations.
Customers should use pseudonymized or synthetic data where possible and should not include sensitive data in customer content unless the customer has a lawful basis, appropriate safeguards, and a written agreement with Promptic allowing that processing.
5. Related documents
Security review requests can be sent to hello@promptic.eu.