Security

Information about system security, certifications, and reports.

Relentless dedication to security should be the core design principle for every software product, and as such, we make it our #1 priority to keep your data safe and secure.

In the following, you can find all public information related to security of PROMPTMETHEUS systems and services.

Detailed system information and security reports are available for business customers only. You can request the PROMPTMETHEUS Security Report and specific system information here:

How we keep your data safe

In order to develop secure software, we adhere – to the best of our knowledge and ability – to industry best practices and rely on established, well-maintained software frameworks like Django and Nuxt, which have various security measures built-in.

The following state-of-the-art methods and procedures are employed to increase system safety:

Encryption

• SSL/TLS
  Data is always encrypted when transmitted over the internet.
• Passwords
  All passwords are encrypted and never stored in clear-text.

Software updates

Wherever possible, we keep software packages that our systems rely on up-to-date. Operating system-level security patches and updates are applied automatically.

Automated testing

Software we deploy is subjected to automated unit- and end-to-end testing pipelines in every deployment cycle to ensure functionality, security, and access control.

Monitoring

The system is monitored for issues and vulnerabilities by

• Sentry
• Snyk

Compliance and certifications

We are working on establishing enterprise grade compliance and certification.

Compliance

• PCI
  Compliant

Certification

• ISO 27100
  Not available yet.
• SOC 2
  Not available yet.
• GDPR
  Not available yet.

Service Availability

Availability of all PROMPTMETHEUS systems is monitored by Uptime Robot. Admins get notified about downtime within 5 minutes of occurrence and can respond accordingly.

Current status and 90-day history are publicly available on the system status page.

Data Privacy and -Processing

All information related to data privacy and -processing is outlined in our Privacy Policy.

Security of 3rd-party services

The overall security of a system is only as good as its weakest link. Therefore, we work exclusively with established 3rd-party services who take security as seriously as we do.

Here is the list of relevant 3rd-party service providers that we rely on, together with their respective certifications and security information.

GitHub

We use GitHub to store all of our source code.

GitHub is the industry leader for source code management and SOC 1/2, CSA, GDPR, ISO 27100, ISO 27701, and ISO 27018 compliant. For more information, please visit their security page.

DigitalOcean

We use DigitalOcean as cloud service provider for our database and backend services.

DigitalOcean is a trusted industry player and SOC 2/3, CSA, GDPR, and CBPR compliant. Digital Ocean also features built-in DDoS protection for all droplets. For more information, please visit their security page.

Vercel

We use Vercel as DNS- and cloud service provider for all PROMPTMETHEUS frontends.

Vercel is a trusted industry player and SOC 2 and GDPR compliant. They use AWS infrastructure and encrypt and backup all of their data. For more information, please visit their security page.

Stripe

We use Stripe as our payment provider and only store Stripe customer-, subscription-, and product IDs in our databases for maximum security. All sensitive payment information like billing address, credit card details, etc. are stored exclusively on secure and battle-tested Stripe infrastructure.

Stripe is the industry leader for payments infrastructure, PCI Level 1 certified, and SOC 1/2 compliant. For more information, please visit their security page.

LLM APIs and service providers

The business model of "LLM as a service" is quite new and the industry is still in the process of establishing the standards and best practices.

By using the PROMPTMETHEUS platform you are subject to the same security risks that you would incur if you would interact with the providers' APIs directly.

Reporting vulnerabilities

If you, despite all our efforts, discover any vulnerabilities in our systems, please report them confidentially at security@promptmetheus.com and do not disclose them to the public.

Note that there is currently no bounty program and we can unfortunately not compensate you for your investigations and reporting, except with an entry in our Hall of Fame.

Questions and suggestions

If you have any questions about the above security details or want to make any suggestions, please don't hesitate to get in touch under security@promptmetheus.com.