Security and Compliance

This guide explains the security features, data protection measures, and compliance capabilities built into PromptOwl for enterprise users.

Security Overview
Authentication and Access
Data Encryption
Role-Based Access Control
Data Isolation
Consent and Privacy
Session Management
API Security
Enterprise Security Controls
Security Best Practices
Compliance Considerations

Security Overview

PromptOwl implements multiple layers of security to protect your data and ensure secure AI interactions.

Security Architecture


User Authentication
         ↓
Session Validation
         ↓
Role-Based Access Control (RBAC)
         ↓
Resource-Level Permissions
         ↓
Data Encryption
         ↓
Secure Cloud Storage

Key Security Features

Feature	Implementation
Authentication	OAuth + Credentials
Encryption	Industry-standard for sensitive data
Access Control	Role-based (RBAC)
Session Management	JWT with 7-day expiration
Data Isolation	User/team/enterprise levels
Consent Tracking	GDPR-compliant logging

Authentication and Access

Authentication Methods

PromptOwl supports two authentication methods:

1. Google OAuth (Recommended)

Secure OAuth 2.0 flow
No password stored in PromptOwl
Automatic email verification
Enterprise SSO integration

2. Email/Password

Industry-standard password hashing
Email verification required
Secure password reset flow

Measure	Description
Password Hashing	Industry-standard hashing algorithm
Email Verification	Required for credential login
Session Tokens	Cryptographically signed tokens
HTTPS Only	Encrypted in transit

User signs up via OAuth or credentials
Email verification (if credentials)
Consent collection (GDPR compliance)
Enterprise auto-assignment (if applicable)
Session token issued

Data Encryption

What’s Encrypted

Data Type	Encryption
LLM API Keys	Encrypted at rest
Payment Credentials	Encrypted at rest
Passwords	Industry-standard hashing
Session Tokens	Cryptographically signed

API Key Protection

Your LLM provider API keys receive special protection:

Encryption Process:

User enters API key in settings
Key encrypted before storage
Encrypted value stored in database
Decrypted only at runtime when needed
Never displayed after initial save

Supported Providers:

OpenAI
Anthropic (Claude)
Google Gemini
Groq
Grok (xAI)

Encryption Standards

Data Type	Protection
API Keys	Encrypted at rest
Passwords	Industry-standard hashing
Sessions	Cryptographically signed tokens
Network	TLS encrypted in transit

Role-Based Access Control

Role Hierarchy

PromptOwl uses a hierarchical role system:


Platform Admin
    ├── Full platform access
    ├── All enterprise management
    └── System configuration

Enterprise Admin
    ├── Enterprise settings
    ├── User management
    ├── Team management
    └── Feature configuration

Enterprise User
    ├── Create prompts
    ├── Access shared resources
    ├── Team collaboration
    └── Limited by settings

Regular User
    ├── Personal resources
    ├── Shared access only
    └── No admin capabilities

Resource-Level Permissions

For individual resources (prompts, artifacts, conversations):

Role	View	Edit	Delete	Share
Owner	Yes	Yes	Yes	Yes
Editor	Yes	Yes	No	Yes
Viewer	Yes	No	No	No
User	Yes	No	No	No

Permission Checks

Every action verifies:

User is authenticated
User has appropriate role
User has access to specific resource
Enterprise settings allow the action

Checking Your Permissions

Your effective permissions depend on:

Your platform role
Your enterprise role (if applicable)
Your team memberships
Direct sharing to your email

Data Isolation

Multi-Level Isolation

PromptOwl ensures data separation at multiple levels:

User Level:

All queries filter by user ID
Personal data never visible to others
API keys tied to individual accounts

Team Level:

Team resources visible only to members
Role determines access within team
Team ownership tracked

Enterprise Level:

Enterprise data isolated by subdomain
Cross-enterprise access blocked
Settings apply per-enterprise

Isolation Implementation

Resource	Isolation Method
Conversations	userId filter + sharing
Prompts	userId + teams + sharedWith
Artifacts	owner field + folder permissions
API Keys	userId (one-to-one)
Settings	enterpriseId

Cross-Tenant Protection

Subdomain-based access control
Enterprise membership validation
Blocked subdomains list maintained
Middleware enforces boundaries

PromptOwl tracks user consent for privacy compliance:

Consent Data Captured:

Consent timestamp
User’s IP address
Policy versions accepted
Consent update history

Policy Tracking

Policy	Version Format
Terms of Use	YYYY-MM-DD
Privacy Policy	YYYY-MM-DD
End User License Agreement	YYYY-MM-DD
AI Policy	YYYY-MM-DD
Cookie Policy	YYYY-MM-DD
Disclaimer	YYYY-MM-DD

User registers or logs in
System checks for valid consent
If no consent or outdated policies:
- Consent modal displayed
- User must accept to continue
Consent data stored with timestamp and IP
Session token includes consent status

User Data Rights

Right	Implementation
Access	Users can view their data
Portability	Export prompts as JSON
Rectification	Edit profile and data
Erasure	Soft delete with isDeleted flag

Session Management

Secure Sessions

PromptOwl uses secure session management:

Property	Value
Strategy	Token-based
Duration	7 days
Signing	Server-side secret
Storage	HTTP-only cookies

Session Data

Your session token contains:

User ID and email
Platform role
Enterprise memberships
Consent status
User preferences

Session Security

Measure	Purpose
HTTP-only cookies	Prevent XSS access
Secure flag	HTTPS only
Expiration	Auto-logout after 7 days
Secret rotation	Admin-controlled

Session Invalidation

Sessions end when:

Token expires (7 days)
User logs out
Password changed (credential users)
Admin revokes access

API Security

Authentication Methods

API requests require authentication:

Session-Based (Web):

JWT token in cookies
Automatic with browser requests

API Key (Programmatic):

X-API-Key header
Generated per-prompt
Tied to user account

Protected Endpoints

All API routes validate:

Authentication present
User exists and active
Permission for requested action
Rate limits not exceeded

CORS Configuration

Setting	Value
Origin	Configured per environment
Methods	GET, POST, PUT, DELETE
Headers	Content-Type, Authorization
Credentials	Allowed

API Best Practices

Do:

Use HTTPS exclusively
Include authentication headers
Handle errors gracefully
Log API usage

Don’t:

Share API keys
Expose keys in client code
Ignore rate limits
Skip error handling

Enterprise Security Controls

Feature Toggles

Enterprise admins can control security-related features:

Feature	Security Impact
`showShareButton`	Enable/disable sharing
`showModelSwitcher`	Restrict model access
`showMemory`	Control context retention
`autoAddUsersToTeam`	Automatic team membership

Enterprise Settings

Setting	Description
Active Status	Enable/disable enterprise
Default Prompt	Restrict to specific prompt
Feature Flags	Control available features
Team Auto-Add	Automatic membership

Subdomain Security

Each enterprise has unique subdomain
Users restricted to their subdomain
Cross-subdomain access blocked
Admin override capabilities

Team Management

Control	Description
Member Roles	Assign appropriate access
Team Deletion	Remove all team access
Role Changes	Audit trail of changes
Email Verification	Required for team invites

Security Best Practices

For Users

Account Security:

Use strong, unique passwords
Enable OAuth when possible
Review account activity
Report suspicious access

API Key Management:

Rotate keys periodically
Don’t share keys
Use separate keys per environment
Monitor usage in provider dashboards

Data Handling:

Don’t input sensitive data in prompts
Review shared resource access
Use appropriate team roles
Clear unused conversations

For Administrators

Enterprise Configuration:

Review feature toggles regularly
Audit user access periodically
Monitor for unusual activity
Keep enterprise settings current

Team Management:

Assign minimum necessary permissions
Remove departed employees promptly
Review team memberships quarterly
Document access decisions

Security Monitoring:

Review sharing activity
Monitor API usage
Check for deprecated models
Validate consent compliance

Security Checklist

Account Level:

Strong password or OAuth
Email verified
Consent given
API keys encrypted

Enterprise Level:

Feature toggles reviewed
Teams properly configured
User roles appropriate
Sharing settings correct

Compliance Considerations

Built-In Compliance Features

Feature	Compliance Purpose
Consent tracking	GDPR Article 7
IP logging	Audit trail
Policy versioning	Consent validity
Data export	Right to portability
Soft deletion	Data retention

Data Residency

Data stored in MongoDB Atlas
Region determined by cluster location
Contact support for specific requirements

Audit Capabilities

Capability	Status
Consent logs	Available
Login tracking	Via session timestamps
Data modification	Via updatedAt fields
Access logs	Limited

Compliance Responsibilities

PromptOwl Provides:

Encryption infrastructure
Access control systems
Consent management
Data isolation

Customer Responsible For:

User training
Policy enforcement
Compliance documentation
Incident response

Industry Standards

PromptOwl implements security practices aligned with:

OWASP Top 10 mitigations
SOC 2 Type II principles
ISO 27001 controls
GDPR requirements

Note: For specific compliance certifications or attestations, contact PromptOwl support.

Quick Reference

Security Features Summary

Layer	Protection
Network	HTTPS/TLS
Authentication	OAuth + secure hashing
Authorization	RBAC
Data at Rest	Encrypted
Sessions	JWT + expiration
Multi-tenancy	Subdomain isolation

Contact for Security

For security concerns:

Report vulnerabilities to security@promptowl.ai
Contact support for compliance questions
Review documentation for best practices

Security and Compliance

Table of Contents

Security Overview

Security Architecture

Key Security Features

Authentication and Access

Authentication Methods

Login Security

First-Time Login

Data Encryption

What’s Encrypted

API Key Protection

Encryption Standards

Role-Based Access Control

Role Hierarchy

Resource-Level Permissions

Permission Checks

Checking Your Permissions

Data Isolation

Multi-Level Isolation

Isolation Implementation

Cross-Tenant Protection

Consent and Privacy

GDPR Compliance Features

Policy Tracking

Consent Flow

User Data Rights

Session Management

Secure Sessions

Session Data

Session Security

Session Invalidation

API Security

Authentication Methods

Protected Endpoints

CORS Configuration

API Best Practices

Enterprise Security Controls

Feature Toggles

Enterprise Settings

Subdomain Security

Team Management

Security Best Practices

For Users

For Administrators

Security Checklist

Compliance Considerations

Built-In Compliance Features

Data Residency

Audit Capabilities

Compliance Responsibilities

Industry Standards

Quick Reference

Security Features Summary

Contact for Security

Related Guides