Security & Privacy Overview
PrompTick is operated by Pragee Technologies LLP (LLPIN: ACR-4297). This section explains how the platform is built from a security and privacy standpoint, so you can make informed decisions about what data to send through it.
If you are evaluating PrompTick for a regulated use case, start here, then read Data Handling and Compliance.
At a glance
- Authentication — Email one-time codes (OTP). No stored passwords in the primary sign-in flow; sessions are managed with secure, HTTP-only cookies.
- Hosting region — Application servers and the primary database run in Google Cloud's europe-west1 region. Supporting job-queue infrastructure is hosted on a dedicated VPS operated by Pragee, also in the EU.
- Transport — All client ↔ server and server ↔ third-party traffic is over TLS.
- At-rest encryption — All application data and secrets are encrypted at rest by default.
- Secrets — Production secrets (API keys, DB credentials, provider keys) are held in a dedicated secrets store, never in source control, and injected at deploy time.
- API authentication — Agent and MCP API keys are hashed before storage; the plaintext is shown to you exactly once and cannot be recovered afterwards. See API Keys.
- Observability — Error telemetry via Sentry; product analytics via Mixpanel. Both carry user IDs and event metadata but are not a substitute for your own logs.
- AI providers — Prompts and inputs are sent to the model provider that serves the model you select for each call. Email is sent via Resend. The full subprocessor list — including the AI providers we currently route to — is in Data Handling.
What's in this section
- Data Handling — what we store, where it lives, which third parties see it, and how long it sticks around.
- API Keys — how agent (
pk_live_) and MCP (mk_live_) keys are generated, stored, rotated, and revoked. - Compliance — legal entity, EU AI Act transparency, and what's covered by the
enterprise-compliancegate.
Out of scope
This section documents platform security. It does not cover:
- Security of the prompts you write or the outputs a language model produces. Treat model outputs as untrusted input to downstream systems.
- Customer-managed encryption keys, bring-your-own-cloud, or self-hosted deployments — those sit under the enterprise tier; reach out if you need them.