Security & Privacy

Prooflane — Security & Privacy

Enterprise-grade security and privacy compliance.

Security & Privacy Details

Concise overview of our security measures and privacy compliance features

Data Protection

  • Transport security: all application traffic over HTTPS/TLS; database connections use TLS with certificate verification.
  • Application-level encryption for selected fields using Fernet (AES-128-CBC with HMAC-SHA256).
  • Database: PostgreSQL; application access uses a least-privilege account.

Infrastructure & Hardening

  • Stack: Nginx (TLS termination + headers), Django (security-patched), Gunicorn, containerized deployment on isolated network. only the HTTPS endpoint is internet-accessible.
  • Security headers: HSTS, X-Frame-Options: DENY, CSP, Referrer-Policy, Permissions-Policy.
  • Sessions & cookies: CSRF enabled; cookies marked Secure, HttpOnly, SameSite.
  • Secrets & keys provided via platform secrets at runtime with rotation procedure.

Platforms

  • Backend framework: Django (Python)
  • App server: Gunicorn
  • Reverse proxy / TLS: Nginx
  • Containers: Docker (isolated network)
  • Database: PostgreSQL
  • AI integration: Server-side API calls over TLS

Tenancy & Access

  • Company-scoped data; records are limited to the active company context.
  • Roles per company: Admin, Editor, Viewer; one App Admin for global setup.

Compliance

  • GDPR (alignment): processor role, TLS, encryption, access controls, data deletion supported.
  • SOC 2 (alignment): controls mapped to Security & Confidentiality; Type I/II examinations not performed.
  • ISO 27001 (alignment): relevant Annex A areas addressed in practice; ISMS certification not in place.
  • PCI DSS: out of scope; cardholder data not processed.
  • Subprocessors operate under data-protection terms; training/retention settings disabled.

AI Usage (Suggestions Only)

  • AI outputs are recommendations; changes occur only upon user save.
  • Prompts are minimized to exclude direct identifiers and sent server-side over TLS.
  • Customer data is not used to train proprietary models.
  • Provider training/retention settings disabled where supported.
  • AI prompts and responses not stored beyond operational needs.