Trust & Security
at Proof AI.
Restoration operators trust Proof with insurance-grade documentation, owner-protected health data, and the financial guts of their business. Here is what we do to earn that trust.
Security overview
All traffic to and from Proof is encrypted in transit with TLS 1.3, with HSTS preload enforced on the marketing surface (www.proofco.ai) and the product surface (app.proofco.io). At-rest data sits in AES-256-encrypted Postgres volumes via Supabase, including managed encryption keys and per-tenant database isolation. Customer uploads (photos, sketches, ESX files) live in S3-compatible object storage with server-side AES-256 and signed-URL access only.
Access control is enforced at the database layer using Postgres Row-Level Security policies derived from Article III of our company constitution: every tenant query is scoped by JWT claim, and every read or write path is RLS-gated — there is no "admin bypass" application role. Internal staff access requires SSO with mandatory hardware-key MFA, and all production console access is logged and replayed for review.
Our network architecture is a defense-in-depth perimeter: Cloudflare provides DDoS mitigation and WAF, Vercel hosts the marketing and product edge, and Supabase isolates the database VPC. Web workers run in container sandboxes with no shared persistent state. Backups are encrypted at the bucket level with separate key material and replicated across two AWS regions.
Vulnerability management is continuous: Sentry monitors production errors and runtime anomalies, Dependabot and Renovate keep dependencies patched within 30 days of upstream release, and we engage an external firm for an annual penetration test. The most recent pen-test summary letter (sanitized) is available to prospects under NDA.
Compliance
- SOC 2 Type II. Annual audit covering Security, Availability, and Confidentiality trust service criteria. Report available under NDA — request the SOC 2 Type II report.
- HIPAA. We sign Business Associate Agreements for healthcare-tier customers (sales-led). Restoration work on covered-entity premises (hospitals, clinics) triggers BAA coverage and locked PHI-handling controls.
- GDPR. Customers in the EEA are covered by Standard Contractual Clauses; our sub-processor list is published on our privacy page (§1.4) and notice of new sub-processors is given at least 30 days in advance.
- CCPA / CPRA. California residents can exercise data-subject rights through the self-service portal at
app.proofco.io/account/privacy— including data export, deletion, and opt-out of "sale" (we do not sell personal information). - PCI DSS. Payments are handled by Stripe; we never see or store full card numbers. Our tokenization integration is PCI DSS SAQ-A compliant.
Sub-processors
Proof uses a short, audited list of sub-processors for infrastructure, analytics, payments, and AI inference. Each is bound by data-processing terms equivalent to our own. The current list and notification protocol live on the privacy page (§1.4).
Security questionnaire library
We maintain pre-populated answers for the standard industry questionnaires so we can move faster than your procurement deadline:
- SIG Lite — Shared Assessments standardized info gathering, short form.
- CAIQ v4 — Cloud Security Alliance Consensus Assessments Initiative Questionnaire.
- SOC 2 Type II report — full report (NDA required).
- Custom questionnaires — typical turnaround 5 business days.
Request the library at security@proofco.ai.
Vulnerability disclosure
Found a bug? We welcome responsible disclosure. Email security@proofco.ai with reproduction steps and (where possible) the impacted endpoint or feature. PGP key fingerprint is published at /security.txt for sensitive reports. We acknowledge every report within 24 hours, provide a triage assessment within 5 business days, and aim to patch critical issues within 30 days. We do not pursue legal action against good-faith researchers who follow our disclosure policy.
Business continuity
Our recovery targets are RTO ≤ 4 hours and RPO ≤ 1 hour for the production product surface. Backups are taken hourly with point-in-time recovery available for the last 30 days, and cross-region replication keeps a warm copy in a separate AWS region. We exercise the DR runbook quarterly with a documented chaos test — the latest exercise summary is available to enterprise customers on request.
Data residency
Customer data is hosted in the United States by default (us-east-1 primary, us-west-2 warm replica). EU data residency (Frankfurt primary) is available on Engine Pro for customers with regulatory data-locality requirements. Customer data does not move out of its assigned region except for cross-region backup encryption integrity verification, which is performed against ciphertext only.
Security contact
For security questions, vulnerability reports, or compliance documentation requests: security@proofco.ai.