SOC 2 Type II — in progress
Audit underway with a tier-1 firm. Our control list, evidence collection, and policies are based on the AICPA Trust Services Criteria — Security, Availability, and Confidentiality. Bridge letter available on request.
— Security & compliance
Built for the audit-heavy teams.
Most marketing tools treat security as a checkbox. Prooflytics treats it as a feature. SOC 2 Type II, GDPR, OAuth read-only by default, full audit log of every change pushed to your accounts.
GDPR-compliant by design
EU-friendly data residency, DPA on request, named DPO contact, sub-processor list published. Right to access / delete / export served through Settings → Account, no support ticket needed.
Encryption — at rest and in transit
TLS 1.3 for all connections. AES-256 at rest for the Postgres tier. OAuth tokens encrypted with envelope keys, stored separately from app data. Per-tenant key derivation on enterprise tier.
OAuth read-only by default
Connecting an ad account grants read access only. Write actions (pause, budget shift, creative duplicate) require explicit per-recommendation approval — and ship with rollback + audit log. We never auto-execute on your accounts.
Full audit trail
Every change pushed back to your ad accounts is logged with: who clicked Apply, when, what was applied, what was the previous state. Exportable to CSV / JSON. Auditors love it.
Incident response
24h notification window for any incident affecting customer data. Public status page (status.prooflytics.io). Postmortems within 5 business days for severity-1 incidents.
Frequently asked
Where is customer data stored?+
Primary Postgres on Neon (AWS us-east + eu-central with replica failover). LLM inference on Anthropic — data is not used for training per the Anthropic API agreement.
Can I get a SOC 2 / GDPR DPA?+
Yes — request via hello@prooflytics.io. Bridge letter available immediately, full Type II report distributed to subscribed customers when audit completes.
How long is data retained?+
While the workspace is active. On account deletion, raw data is purged within 30 days. Aggregated, anonymised metrics may be retained for product benchmarks (opt-out via Settings).
Is data ever shared with third parties?+
Only with sub-processors listed in our DPA (Anthropic for LLM inference, Stripe for billing, Resend for email, PostHog for product analytics, Sentry for errors). Never sold, never used for advertising.
Do you run penetration tests?+
Yes — annual external pen-test with a qualified vendor. Latest report available under NDA on request.
Need a vendor security questionnaire filled out?
We respond to standard questionnaires (SIG, CAIQ, custom) within 5 business days. Email security@prooflytics.io with the document attached.