Not passive surveillance. Not autonomous AI decisioning. This page explains how PROOF handles data: what enters, what is stored, who can see it, and what never happens. Every claim here is structural, and inspectable on request.
Most trust pages list controls. This section lists absences: categories of risk PROOF removes by architecture rather than manages by policy.
PROOF has no mailbox access, no calendar access, no call recording, no background listening. Evidence enters when a person deliberately forwards it. If your team doesn't forward it, PROOF never sees it. Any future connection would be opt-in, controller-authorised, scoped, and documented before use.
AI drafts and summarises. Only a human action, or a buyer's own reply, creates a record. AI components hold database roles with no write permission to the system of record; an automated check fails the build if such a grant ever appears.
Every claim is attributed: who said it, when, on what evidence. That is the product, and it is also what makes subject-access, rectification and erasure requests answerable in minutes, not weeks.
The highest grade of evidence in PROOF exists only where a buyer explicitly confirmed it. An unanswered email confirms nothing. No AI scores, profiles, or infers sentiment about any individual. PROOF conducts no automated decision-making with legal or similarly significant effects on people.
Audit engagements run as a pipeline, not an application: your export is processed, the findings document is produced, and the working data is destroyed. What remains is your report and an integrity hash proving what was analysed, without keeping it.
No rep scoring, no behavioural profiling, no productivity surveillance, no AI evaluation of any individual's performance. These are permanent product refusals, which is what keeps PROOF's AI features in the limited/minimal-risk class.
The system of record is hosted in AWS eu-west-1 (Ireland). Backups stay in-region. Data PROOF publishes into your CRM or delivers into your Teams or Slack lives in your own tenancy, under your agreements.
The ledger persists for the life of your subscription. That persistence is the product: it is your governed record.
Forwarded items that become evidence are retained so every citation resolves to a real artefact; items that never become evidence are deleted after a short window, leaving only an integrity hash. A stricter, extract-only mode is configurable.
No brief, no evidence text, no email bodies in any log.
A full machine-readable export window, then complete deletion with written confirmation, verified by query, not by promise. Backups age out shortly after.
Verified erasure destroys the individual's identifiers and scrubs references in one auditable operation, while the ledger's structure and your governed numbers remain intact. Erasure changes who, never what.
Verified data-subject-rights requests are supported within five business days, or faster where statutory deadlines require.
If a seller uses PROOF, here is the honest answer to "what does this tool hold about me?"
Most sales tools record people without their knowledge. PROOF records claims people confirmed, and shows them the record.
Personal-data incidents are notified to your nominated contact without undue delay after we become aware, and in any event within 48 hours of confirming your data is affected — with rolling updates so your own 72-hour regulator obligations are never gated on us. Security contact: security@proofhq.io. Good-faith vulnerability reports are welcomed.
Daily backups with point-in-time recovery, held in-region. Restores are tested on a recurring cadence. And because PROOF publishes governed state into your own CRM, your system of record is never solely dependent on ours.
A named, minimal set of individuals can access production — there is no support team with standing data access, because there is no data access we have not listed. Access to client content happens only to provide support, investigate an incident, maintain the service, or comply with law: logged, time-bound where possible, minimum necessary. MFA on all administrative accounts.
PROOF is an early-stage company. We do not yet hold SOC 2 or ISO 27001; certification is on the roadmap. We compensate with architecture: the guarantees on this page are structural, not procedural, and inspectable on request. A signed DPA is standard with every subscription; our TOMs annex and a completed security questionnaire are available to prospective clients.
The Trust & Security pack collects every position on this page — residency, subprocessors, retention, AI processing, incident and continuity — in one document.
Signed DPA, TOMs annex, subprocessor list and completed security questionnaires are provided per engagement — available on request. Privacy: privacy@proofhq.io · Security: security@proofhq.io
Initial publication: structural guarantees, residency, subprocessors, retention and deletion, buyer-data explanation, incident and continuity positions.