Skip to main content

Security & Privacy Overview

PrompTick is operated by Pragee Technologies LLP (LLPIN: ACR-4297). This section explains how the platform is built from a security and privacy standpoint, so you can make informed decisions about what data to send through it.

If you are evaluating PrompTick for a regulated use case, start here, then read Data Handling and Compliance.

At a glance

  • Authentication — Email one-time codes (OTP). No stored passwords in the primary sign-in flow; sessions are managed with secure, HTTP-only cookies.
  • Hosting region — Application servers and the primary database run in Google Cloud's europe-west1 region. Supporting job-queue infrastructure is hosted on a dedicated VPS operated by Pragee, also in the EU.
  • Transport — All client ↔ server and server ↔ third-party traffic is over TLS.
  • At-rest encryption — All application data and secrets are encrypted at rest by default.
  • Secrets — Production secrets (API keys, DB credentials, provider keys) are held in a dedicated secrets store, never in source control, and injected at deploy time.
  • API authentication — Agent and MCP API keys are hashed before storage; the plaintext is shown to you exactly once and cannot be recovered afterwards. See API Keys.
  • Observability — Error telemetry via Sentry; product analytics via Mixpanel. Both carry user IDs and event metadata but are not a substitute for your own logs.
  • AI providers — Prompts and inputs are sent to the model provider that serves the model you select for each call. Email is sent via Resend. The full subprocessor list — including the AI providers we currently route to — is in Data Handling.

What's in this section

  • Data Handling — what we store, where it lives, which third parties see it, and how long it sticks around.
  • API Keys — how agent (pk_live_) and MCP (mk_live_) keys are generated, stored, rotated, and revoked.
  • Compliance — legal entity, EU AI Act transparency, and what's covered by the enterprise-compliance gate.

Out of scope

This section documents platform security. It does not cover:

  • Security of the prompts you write or the outputs a language model produces. Treat model outputs as untrusted input to downstream systems.
  • Customer-managed encryption keys, bring-your-own-cloud, or self-hosted deployments — those sit under the enterprise tier; reach out if you need them.