Trust & Security

Built to protect your business and your clients.

Agencies trust Propogen with sensitive client data — proposals, contracts, invoices, messages, and files. Here is exactly how we protect it.

Infrastructure

Hosted on Vercel with global CDN and edge distribution. Vercel maintains SOC 2 Type II compliance.
Database, authentication, and file storage powered by Supabase (AWS us-east-1), which is also SOC 2 Type II certified.
No self-managed servers — we rely on infrastructure providers with dedicated security and compliance teams.

Encryption

All data in transit is encrypted using TLS 1.2 or higher between your browser and our servers and between our services.
All data at rest — including database contents, file storage, and backups — is encrypted using AES-256 by Supabase and Vercel.
Passwords are never stored in plaintext. Authentication is handled by Supabase Auth using secure hashing.

Access Controls

Row Level Security (RLS) is enforced at the database level on every table. Queries are scoped to the authenticated user's workspace — no exceptions.
Every API route verifies the user's session and confirms that the requested resource belongs to their workspace before executing.
Role-based permissions (owner, admin, member, and custom roles) are enforced server-side, not just in the UI.
Sensitive actions — billing changes, member management, workspace deletion — require the appropriate role to be verified at the API level.

Webhook & API Security

All inbound webhooks from payment processors and integrations are verified using HMAC signature verification before any payload is processed.
Webhook processing is fail-closed — if a webhook secret is not configured or a signature does not match, the request is rejected with 401.
Internal cron and admin endpoints use timing-safe secret comparison (crypto.timingSafeEqual) to prevent timing attacks.
No secrets or API keys are exposed to the client. Only public-safe NEXT_PUBLIC_ variables reach the browser.

Input Validation & XSS Protection

All database queries use the parameterized Supabase client — no raw SQL construction anywhere in the codebase.
User-generated HTML content (contract bodies, proposal blocks, legal sections) is sanitized through DOMPurify with an allow-list before rendering.
File upload paths are validated against an allow-list of permitted folders. Path traversal sequences are rejected.
HTML content in transactional emails (portal invites, magic links) has all entities escaped before injection into email templates.

Rate Limiting & Abuse Prevention

Public form submission endpoints are rate-limited by IP address (max 10 uploads per IP per hour) to prevent storage abuse.
Authentication endpoints (login, signup, password reset) are rate-limited to prevent brute-force attacks.
AI and Captain endpoints are rate-limited per workspace to prevent quota exhaustion.
Authentication failures are always fail-closed — infrastructure errors return 503, not a bypass.

Audit Logs

Significant actions within a workspace — member invites, role changes, document sends, automation runs, AI actions — are recorded in an audit log.
Audit logs are scoped to the workspace and visible to workspace owners and admins.
Logs are retained for up to 12 months. See our Data Retention Policy for details.

AI Data Handling

Captain AI features are powered by OpenAI (GPT-4o). Prompts and context are sent to OpenAI's API over an encrypted connection.
We configure the OpenAI API to opt out of data being used for model training, to the extent permitted by the applicable API agreement.
AI actions that affect workspace data require explicit user approval before execution.
AI prompt inputs, outputs, and action logs are stored within your workspace and subject to the same access controls as all other workspace data.
No system is 100% secure. We implement industry-standard controls and work to keep them current. However, no platform can guarantee absolute security against all threats. You are responsible for the security of your account credentials, the roles and permissions you assign to team members, and the integrations you connect to your workspace.

Responsible Disclosure

If you discover a security vulnerability in Propogen, please report it to us privately at security@propogen.com. Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it. We aim to acknowledge all security reports within 2 business days and to resolve confirmed vulnerabilities as a priority.

Subprocessors

See every third-party service that may process your data.

View list

Last updated: June 3, 2026 · Questions? Email security@propogen.com