Security

1. Security Overview

PR Bot is operated by StartupBros LLC ("we," "us," "our"). Security is foundational to how we build and operate our platform. We implement commercially reasonable administrative, technical, and physical safeguards designed to protect your data against unauthorized access, destruction, loss, alteration, or misuse. These measures are proportionate to the nature and sensitivity of the data we process and the risks presented by our processing activities.

Our security practices are informed by the CIS Critical Security Controls v8, the NIST Cybersecurity Framework, and SOC 2 Trust Services Criteria. We continuously evaluate and refine our controls as threats evolve and our platform grows.

2. Infrastructure Security

Cloud Hosting and Physical Security

PR Bot runs on infrastructure provided by industry-leading cloud platforms. Physical security for all data centers is inherited from our infrastructure providers:

These providers maintain enterprise-grade data center security including biometric access controls, 24/7 monitoring, environmental controls, and multi-zone redundancy. We do not operate our own data centers.

Network Security

• DDoS protection provided by Cloudflare (via Vercel) at the CDN layer
• Web Application Firewall (WAF) rules enforced at the edge for common attack patterns (OWASP Top 10)
• Rate limiting applied to API endpoints to prevent abuse and brute-force attacks
• All public-facing services require HTTPS; HTTP connections are automatically upgraded

Availability and Resilience

• Geographically distributed infrastructure through Vercel's global edge network
• High-availability database architecture with failover
• Daily automated backups with point-in-time recovery capability
• Tested backup restoration procedures to ensure recoverability

3. Data Encryption

In Transit

All data transmitted between your browser and our servers, between our services, and between our servers and third-party providers is encrypted using TLS 1.2 or higher (TLS 1.3 where supported). We enforce HTTPS on all connections and apply HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks.

At Rest

All customer data stored in our database is encrypted at rest using AES-256 encryption, provided by our database infrastructure (Supabase / AWS). This includes:

• User account data and professional profile information
• AI-generated pitch content and campaign data
• File uploads and stored documents
• Backup copies of all database contents

Sensitive values such as access tokens and API keys are additionally encrypted at the application level before storage.

4. Access Controls

Customer-Facing Controls

• Authentication managed by Supabase Auth with support for email and social login providers
• Multi-factor authentication (MFA) available for all user accounts
• Automated session timeout policies to protect unattended sessions
• Secure credential storage using industry-standard hashing algorithms (bcrypt)

Internal Administrative Controls

• Multi-factor authentication required for all team members with access to production systems, cloud provider dashboards, and administrative tools
• Role-based access control (RBAC) enforced at the application and database levels; personnel access is limited to the minimum required for their role
• Principle of least privilege applied to all system access, API keys, and service accounts
• Access reviews conducted when team members change roles or leave the organization

Multi-Tenant Data Isolation

PR Bot operates a multi-tenant architecture with strict logical separation between customer accounts:

• Row-level security (RLS) policies are enforced at the database level to ensure that each customer can only access their own data
• AI processing requests are made independently for each customer; one customer's data is never included in another customer's AI processing context
• API authorization checks verify account membership on every request before returning data

5. Application Security

• Secure development lifecycle: All code changes undergo peer review before deployment. Version-controlled infrastructure and application code with managed change processes.
• Dependency management: Automated scanning for known vulnerabilities in third-party dependencies. Security patches are prioritized and applied promptly.
• Input validation and output encoding: Application-level controls to prevent common web vulnerabilities including injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF).
• Audit logging: Access to customer data and administrative actions are logged for security monitoring and incident investigation purposes.

6. AI Data Security

No Model Training on Your Data

We use commercial API agreements with our AI providers that contractually prohibit the use of your data for model training or improvement:

AI Input Validation

We implement controls designed to protect against adversarial inputs to our AI processing pipeline:

• Input validation and sanitization before data is sent to AI providers
• Structured prompting techniques that separate system instructions from user-provided data
• Output filtering to detect and prevent unintended content in AI-generated results
• Monitoring of AI processing outputs for anomalous behavior

Customer Data Isolation in AI Processing

Each customer's AI processing requests are independent and isolated. We do not batch data across customer accounts, and one customer's profile information is never included in another customer's AI context window. For more information about how we use AI, see our AI Transparency & Policy.

7. Organizational Security

• Personnel: All personnel with access to customer data are bound by contractual confidentiality obligations. Access to production systems is restricted to employees whose roles require it.
• Security awareness: Team members receive security awareness training covering phishing, social engineering, secure development practices, and data handling procedures.
• Vendor management: We maintain data processing agreements with all subprocessors and conduct due diligence assessments before engaging new vendors. The current list of subprocessors is published at prbot.ai/data-processing.
• Device security: Administrative access to production systems is restricted to authorized devices with enforced disk encryption and current operating system patches.

8. Incident Response

We maintain a documented incident response plan that is reviewed and updated periodically. In the event of a security incident affecting customer data:

Response Process

1. Detection and containment: Identify the scope of the incident, isolate affected systems, and prevent further unauthorized access.
2. Assessment: Determine what data was affected, the root cause, and the potential impact.
3. Notification: Notify affected customers and applicable regulatory authorities in accordance with legal requirements (see notification timelines below).
4. Remediation: Implement fixes to address the root cause and prevent recurrence.
5. Post-incident review: Document lessons learned and update security controls accordingly.

Notification Timelines

• GDPR (EU/EEA): Supervisory authority notified within 72 hours of becoming aware of a personal data breach. Affected individuals notified without undue delay where the breach is likely to result in high risk to their rights and freedoms.
• Florida (FIPA): Affected individuals notified within 30 days. Florida Department of Legal Affairs notified if more than 500 individuals are affected.
• California (CCPA/CPRA): Affected California residents notified in accordance with the California Civil Code Section 1798.82 (generally without unreasonable delay).
• DPA customers: Customers with an active Data Processing Agreement are notified within 72 hours in accordance with the DPA terms.

All breach notifications will describe the nature of the breach, the data categories affected, the likely consequences, and the measures taken to address it. For complete details, see Data Processing Information.

9. Compliance and Certifications

Our Compliance Posture

Enterprise Procurement Support

We understand the importance of security diligence in enterprise procurement. We can provide:

• Completed security questionnaires (SIG Lite, CAIQ, or custom formats)
• Our Data Processing Addendum with GDPR Standard Contractual Clauses (available at prbot.ai/dpa)
• Infrastructure provider SOC 2 reports (via their respective trust portals)
• Detailed responses to security-related questions from your procurement or InfoSec team

Contact security@prbot.ai to initiate a security review.

10. Data Retention and Deletion

We retain customer data only as long as necessary to provide our services and comply with legal obligations. Key retention periods:

• Account and profile data: Retained while your account is active; deleted within 30 days of account deletion
• AI-generated content: Deleted within 30 days of account deletion
• Payment records: Retained for 7 years as required by tax and accounting law
• Server and application logs: Retained for up to 90 days for security monitoring and debugging
• Backup copies: Deleted within 90 days of primary data deletion in accordance with our standard backup rotation schedule

You may delete your data at any time through your account settings or by contacting privacy@prbot.ai. For complete data retention details, see our Privacy Policy and Data Processing Information.

11. Vulnerability Disclosure Policy

We value the security research community and welcome responsible reports of potential security vulnerabilities in our services.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability, please report it to security@prbot.ai. Include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any proof-of-concept code or screenshots

Our Commitment

• We will acknowledge receipt of your report within 3 business days
• We will provide an initial assessment within 10 business days
• We will work to remediate confirmed vulnerabilities in a timeframe appropriate to the severity
• We will notify you when the vulnerability has been remediated

Safe Harbor

We will not pursue legal action against security researchers who:

• Make a good-faith effort to comply with this vulnerability disclosure policy
• Avoid accessing or modifying data belonging to other users
• Do not exploit a vulnerability beyond what is necessary to confirm its existence
• Report the vulnerability to us before disclosing it publicly
• Allow a reasonable period (generally 90 days) for us to address the vulnerability before any public disclosure

This safe harbor is consistent with the U.S. Department of Justice's policy on charging violations of the Computer Fraud and Abuse Act (CFAA) with respect to good-faith security research.

Scope

In scope: prbot.ai and its subdomains; PR Bot application functionality.

Out of scope: Social engineering attacks against our employees; denial-of-service attacks; physical security testing; third-party services and applications (report these to the respective provider).

12. Contact

For security-related inquiries:

• Security Team: security@prbot.ai
• Privacy Inquiries: privacy@prbot.ai
• Enterprise Procurement: security@prbot.ai
• Postal Address: StartupBros LLC, 100 1st Ave N, #2706, St. Petersburg, FL 33701, USA

13. Frequently Asked Questions

Change Log