Prooflytics
Security & compliance

Honest about what we do and what we don't.

GDPR-compliant by design, OAuth read-only by default, encryption at rest and in transit, full audit log, sub-processors disclosed, DPA available on request. SOC 2 is on the roadmap — we'll tell you exactly when we get there.

What's in place today

Encryption — at rest and in transit

All data in transit is protected by TLS. Data at rest is encrypted using industry-standard protocols. OAuth tokens for connected ad platforms are encrypted with separate envelope keys before storage, isolated from application data. Pixel-collected email and phone identifiers are hashed client-side before reaching our servers — we never receive raw values.

OAuth read-only by default

Connecting Meta, Google Ads, or GA4 grants read access only. Write actions (pause campaign, change budget, duplicate creative) require an explicit per-recommendation Apply click — never auto-executed. Every applied change ships with rollback and an immutable audit-log entry.

GDPR-compliant by design

Our pixel integrates with all major consent frameworks (IAB TCF v2.2, Google Consent Mode v2, and leading CMPs) — events do not fire until consent is granted. DNT / Global Privacy Control headers are honoured automatically. Rights to access, delete, and export data are served in-app from Settings → Account — no support ticket needed. DPA available on request.

Full audit trail

Every change pushed back to your ad accounts is logged immutably: who clicked Apply, when, exact operation, and previous state. Exportable to CSV / JSON via Settings → Audit log. Retention follows your plan tier (Starter 30 days, Growth 90 days, Scale 1 year, Enterprise custom).

Pixel data minimisation

The Prooflytics Pixel does not collect full names, browsing history outside your domain, device fingerprints, third-party cookies, or form field values. Field-level tracking captures field names only — never the content. Password, CVV, SSN, and payment field names are filtered at source before any data leaves the browser.

Vulnerability disclosure

Found a security issue? Email security@prooflytics.io with details. We respond within 2 business days, fix critical issues within 7 days, and credit reporters in our changelog (with permission). See /.well-known/security.txt for the canonical disclosure policy.

Compliance status — no marketing fluff

We list every compliance certification with its actual current status. No SOC 2 logos until we hold the report. No "in audit" claims unless we are. If you need something not yet checked off, email security@prooflytics.io and we will give you a real timeline plus what we can sign in the meantime.

SOC 2 Type II

Roadmap

Targeting H2 2026 — readiness assessment in progress with a third-party compliance-automation platform. We do not currently hold a SOC 2 report.

ISO 27001

Not yet

Will follow SOC 2. Bring up if you need it for procurement and we will share timeline.

EU-only data residency

Available

On Growth+ plans we provision your tenant in an EU-region database (eu-central-1) with EU-jurisdictioned object storage. Request via security@prooflytics.io.

External penetration test

Scheduled

First external pen-test scheduled before SOC 2 audit kickoff. Until then we run quarterly internal security reviews and automated dependency and vulnerability scanning.

Bug bounty program

Not yet

Single-channel disclosure via security@prooflytics.io for now. Bounty programme will follow first external pen-test.

Third-party sub-processors

We engage third-party service providers to operate Prooflytics — covering infrastructure hosting, payment processing, authentication, transactional email, and error monitoring.

All sub-processors are bound by data processing agreements with Prooflytics and are prohibited from using your data for any purpose beyond delivering services to you. The complete, named sub-processor list is included in the DPA we sign with each customer.

Adding a sub-processor triggers a 30-day customer notice. Subscribe to notices →

Frequently asked

Where is my data stored?+

Primary data is stored in managed cloud databases located in the US by default. EU-region storage is available on Growth+ plans — request it via security@prooflytics.io. AI inference for briefings and recommendations uses your data in-flight only; it is not used for model training per our AI service provider agreements.

Can I get a Data Processing Agreement (DPA)?+

Yes — email security@prooflytics.io with the legal entity you want named in the DPA. We return a counter-signed DPA within 2 business days. Standard contractual clauses (SCCs) are included for EU↔US transfers. The DPA includes our full sub-processor list.

How long is my data retained?+

Data is retained for the duration of your active subscription. On account deletion, raw event data and connected ad-account data is purged within 30 days. Aggregated, anonymised metrics may be retained for product benchmarks — opt out via Settings → Account → Data sharing.

Is my data ever used for advertising or sold?+

Never. Prooflytics charges subscription fees — your data exists only to power your dashboards and AI briefings. We do not sell data, share it with ad networks, or allow cross-tenant data access. Our AI service providers do not train on customer data per their API terms.

What happens if Prooflytics is acquired?+

Customers are notified within 30 days of any acquisition. The acquiring company must honour all existing DPAs and data-processing terms. Customers have a 90-day window to export data and exit without penalty.

Do you support SSO / SCIM?+

SSO via Google, Microsoft, and standard OIDC providers is available on every plan. SAML SSO and SCIM provisioning are available on the Enterprise tier — contact sales@prooflytics.io to enable.

How do I delete my data immediately?+

Settings → Account → Delete workspace triggers immediate disconnection of all OAuth tokens and a 30-day deletion job. Email security@prooflytics.io to request expedited deletion (within 7 days) if you have a regulatory deadline.

Need a vendor security questionnaire filled out?

We respond to standard questionnaires (SIG Lite, CAIQ, custom) within 5 business days. Email security@prooflytics.iowith the document attached and any deadline you're working to.

For real-time vendor discussions or RFP support: sales@prooflytics.io.