Prospektr
Try for $1
Legal

Security

Last updated: April 26, 2026

We treat customer data the way we'd want our own data treated. Here's how we secure Prospektr™.

Encryption

  • In transit: All Service traffic is encrypted via TLS 1.2+. HSTS is enforced.
  • At rest: Customer data lives in a managed Postgres instance (Neon) with disk-level encryption. Backups are encrypted at the storage layer.
  • Cookies: Session cookies are HTTP-only, secure, and SameSite=Lax. Client-side JavaScript cannot read them.

Authentication

  • Passwordless sign-in via single-use email magic links.
  • Session tokens stored server-side; revocable from the database.
  • Sessions expire after 30 days of inactivity.
  • No password to leak.

Payment security

All billing is handled by Stripe. We never see your full card number. Stripe is PCI-DSS Level 1 certified. We store only the customer ID, subscription status, and last-four digits.

Infrastructure

  • Hosted on Vercel (USA) with edge network and DDoS mitigation.
  • Database on Neon (USA) with point-in-time recovery and automatic backups.
  • Email delivery through Resend with SPF / DKIM / DMARC enforced on outbound mail.

Access controls

  • Tenant isolation:Every database query is scoped to the authenticated tenant. There is no shared-data access path; a compromised account cannot read another tenant's data.
  • Internal access: Production database access is limited to a small set of administrators with audit logging. We do not browse customer data without explicit written consent (e.g., to help debug a support ticket).
  • Sub-processor access: Each sub-processor receives only the minimum data needed (see Privacy Policy).

API key handling

Customers can paste API keys (Smartlead, Reply.io, webhook secrets) into Prospektr to enable auto-export. These are stored in our encrypted database, surfaced as masked password fields in the UI, and only sent to the corresponding vendor when pushing a lead.

Logging & monitoring

Application logs capture errors and security-relevant events. We do not log full customer data or AI classifier output by default. Logs rotate after 30 days.

Vulnerability disclosure

Found a security issue? We want to know. Email security@prospektr.co with details and proof-of-concept. We commit to responding within 3 business days. We do not have a public bug-bounty program yet but are happy to publicly credit responsible researchers.

Compliance

Prospektr is operated from the United States. We follow GDPR and CCPA principles: customers may request access, correction, export, or deletion of their data at privacy@prospektr.co.

Status & transparency

Service status is available at /status. We post incident reports for any outage longer than 30 minutes.