Trust · Security · Privacy

Deliberate capture.
Human confirmation.
Attributable evidence.

Not passive surveillance. Not autonomous AI decisioning. This page explains how PROOF handles data: what enters, what is stored, who can see it, and what never happens. Every claim here is structural, and inspectable on request.

By construction

Risks that don't exist here.

Most trust pages list controls. This section lists absences: categories of risk PROOF removes by architecture rather than manages by policy.

No passive access

Nothing enters without a human gesture

PROOF has no mailbox access, no calendar access, no call recording, no background listening. Evidence enters when a person deliberately forwards it. If your team doesn't forward it, PROOF never sees it. Any future connection would be opt-in, controller-authorised, scoped, and documented before use.

No AI writes

AI proposes. It never creates the record.

AI drafts and summarises. Only a human action, or a buyer's own reply, creates a record. AI components hold database roles with no write permission to the system of record; an automated check fails the build if such a grant ever appears.

No unattributed records

Every record knows its source

Every claim is attributed: who said it, when, on what evidence. That is the product, and it is also what makes subject-access, rectification and erasure requests answerable in minutes, not weeks.

No silent buyer records

Silence is never confirmation

The highest grade of evidence in PROOF exists only where a buyer explicitly confirmed it. An unanswered email confirms nothing. No AI scores, profiles, or infers sentiment about any individual. PROOF conducts no automated decision-making with legal or similarly significant effects on people.

No audit residue

The Evidence Audit stores nothing

Audit engagements run as a pipeline, not an application: your export is processed, the findings document is produced, and the working data is destroyed. What remains is your report and an integrity hash proving what was analysed, without keeping it.

No worker surveillance

Outside the AI Act's high-risk class, by refusal

No rep scoring, no behavioural profiling, no productivity surveillance, no AI evaluation of any individual's performance. These are permanent product refusals, which is what keeps PROOF's AI features in the limited/minimal-risk class.

Residency & processing

Where data lives, and who touches it.

The system of record is hosted in AWS eu-west-1 (Ireland). Backups stay in-region. Data PROOF publishes into your CRM or delivers into your Teams or Slack lives in your own tenancy, under your agreements.

Subprocessor
Purpose
Region
Supabase (on AWS)
Database, authentication, storage
eu-west-1 (Ireland)
Vercel
Application hosting
EU-configured; details in the DPA pack
Anthropic
AI drafting and narration only — transient processing, no training on client data
Per the AI/LLM Processing Note; transfer safeguards in the DPA pack
Transactional email
System notifications (names, addresses only)
Detailed in the DPA pack
This list is versioned. Additions or replacements are notified to client contacts with 30 days' notice, with the right to object on reasonable data-protection grounds. Changes appear in the log at the foot of this page.
Retention & deletion

What is kept, for how long, and how it ends.

The evidence ledger persists

The ledger persists for the life of your subscription. That persistence is the product: it is your governed record.

Source retention is purpose-bound

Forwarded items that become evidence are retained so every citation resolves to a real artefact; items that never become evidence are deleted after a short window, leaving only an integrity hash. A stricter, extract-only mode is configurable.

Operational logs hold metadata, never content

No brief, no evidence text, no email bodies in any log.

On termination

A full machine-readable export window, then complete deletion with written confirmation, verified by query, not by promise. Backups age out shortly after.

Erasure by anonymisation

Verified erasure destroys the individual's identifiers and scrubs references in one auditable operation, while the ledger's structure and your governed numbers remain intact. Erasure changes who, never what.

Rights assistance

Verified data-subject-rights requests are supported within five business days, or faster where statutory deadlines require.

For buyers

What PROOF holds about you, if you're on the other side of a deal.

If a seller uses PROOF, here is the honest answer to "what does this tool hold about me?"

  • Your name and business contact details, meeting attendance, and claims attributed to you — each linked to its source. Only from items a human deliberately forwarded; nothing recorded passively.
  • "Buyer-confirmed" means you confirmed it. Your silence is never treated as agreement.
  • Where the Deal Room is enabled, you can see the claims attributed to you and challenge them: a disputed point is marked contested, not quietly kept.
  • No AI scores you, profiles you, or writes judgements about you into any record.
  • Your rights — access, correction, erasure — are exercised through the selling organisation; PROOF supports them natively.

Most sales tools record people without their knowledge. PROOF records claims people confirmed, and shows them the record.

Operations

Incidents, continuity, and who can see your data.

Incident notification

Personal-data incidents are notified to your nominated contact without undue delay after we become aware, and in any event within 48 hours of confirming your data is affected — with rolling updates so your own 72-hour regulator obligations are never gated on us. Security contact: security@proofhq.io. Good-faith vulnerability reports are welcomed.

Continuity & backups

Daily backups with point-in-time recovery, held in-region. Restores are tested on a recurring cadence. And because PROOF publishes governed state into your own CRM, your system of record is never solely dependent on ours.

Access to your data

A named, minimal set of individuals can access production — there is no support team with standing data access, because there is no data access we have not listed. Access to client content happens only to provide support, investigate an incident, maintain the service, or comply with law: logged, time-bound where possible, minimum necessary. MFA on all administrative accounts.

Where we are, honestly

PROOF is an early-stage company. We do not yet hold SOC 2 or ISO 27001; certification is on the roadmap. We compensate with architecture: the guarantees on this page are structural, not procedural, and inspectable on request. A signed DPA is standard with every subscription; our TOMs annex and a completed security questionnaire are available to prospective clients.

Documents & contacts

Everything on this page is inspectable.

The Trust & Security pack collects every position on this page — residency, subprocessors, retention, AI processing, incident and continuity — in one document.

Download the Trust & Security pack PDF · updated July 2026

Signed DPA, TOMs annex, subprocessor list and completed security questionnaires are provided per engagement — available on request. Privacy: privacy@proofhq.io  ·  Security: security@proofhq.io

Change log

Every change to this page is versioned.

v1.0· July 2026

Initial publication: structural guarantees, residency, subprocessors, retention and deletion, buyer-data explanation, incident and continuity positions.