Back to Home
Security & Integrity
Security Overview
Last updated: July 12, 2026
1. Architecture and Data Flow
PromptOS is built on a modern, decoupled architecture designed to keep prompt data secure, segregated, and accessible.
- Encryption in Transit: All communication between the user's browser, the PromptOS web servers, and third-party APIs (Supabase, OpenAI, OpenRouter, Google Gemini) is encrypted using TLS 1.3.
- Encryption at Rest: Prompt data, version logs, and dashboard metrics are persisted in our Supabase PostgreSQL database, utilizing AES-256 block-level storage encryption.
2. Database Segregation and Row-Level Security
To prevent cross-tenant data leaks and unauthorized prompts inspection, we enforce strict Row-Level Security (RLS) policies on our databases:
- Every prompt insertion, modification, and query is scoped strictly to the authenticated user ID.
- Anonymous access is rejected across all operational endpoints; prompt evaluation tables require a cryptographic session token generated via NextAuth.
- Administrative and aggregation workers run under isolated service roles with zero exposure of global credentials to frontend clients.
3. AI Subprocessor Security
When you enhance or score a prompt, we transmit relevant data securely to Google Generative AI (Gemini) or OpenRouter APIs.
- No Model Training: PromptOS uses paid developer API endpoints. Under the model providers' commercial terms of service, developer inputs sent to APIs are not used to train or refine public generative models.
- Secure API Key Management: All API keys (e.g. OpenRouter API key, Supabase keys) are stored as encrypted environment variables on our hosting platform and are accessed exclusively through server-side server actions or API endpoints. No API keys are ever sent or exposed to the client side.
4. Vulnerability Disclosure
We believe in proactive security and continuous improvement. If you discover a vulnerability or security concern within the PromptOS application code or infrastructure, please contact us directly at promptos001@gmail.com rather than publishing it. We will work to investigate and resolve all issues promptly.