Built for security teams to approve, not interrogate.
The technical version of /trust. For CISOs, security engineers, and procurement reviewers. Sources cited, dates honest, gaps flagged.
Encryption
TLS 1.3 in transit (HSTS, no mixed content). AES-256 at rest in Postgres (Supabase EU). Per-customer encryption keys for stored check inputs. Secrets rotated quarterly via Hashicorp Vault. No customer secrets ever logged.
Access controls
Role-based access for Prism staff. Production access logged and reviewed weekly. Customer data accessible only on explicit support ticket with audit trail. SAML SSO available on Team and Agency tiers; SCIM provisioning available on Enterprise.
Architecture
Stateless edge runtime (Vercel) for routing and read paths. Long-running jobs (check execution) in Vercel Functions with isolated workspaces per request. Postgres (Supabase) with row-level security on every customer-facing table. Inference traffic to model providers is per-call, no batched cross-customer inference.
Audit logs
Per-workspace audit log: every check run, every report download, every API call, every team-member invite. Retained 13 months (Free), 36 months (Team), 7 years (Enterprise). Exportable as JSON.
Penetration testing
External pen-test annually (next: Q3 2026, scope and report shared with Team and Enterprise customers under NDA). Bug bounty active, see below.
Incident response
Critical incidents disclosed to affected customers within 72 hours. Full post-mortem published on /changelog within two weeks. Status page with subscribable alerts at status.prism.ai.
Dated. Honest about gaps.
Find a vulnerability, get paid.
Active program. Critical findings: €2,000–€10,000. High: €500–€2,000. Medium: €100–€500. Low: €50 + Prism credit. Disclose privately to security@prism.ai with a working PoC. We respond within 48 hours.