👑PROMPTKINGTrust Center

Security & Trust Center

Your AI billing data.
Protected from day one.

PromptKing is operated by PromptKing Inc., an Ontario Business Corporation (Corp. No. 1001622155). We connect to your AI vendor accounts using read-only, least-privilege credentials — we never store your API keys in plaintext, never write to vendor accounts, and never share data across tenants. This page answers the questions your security team will ask.

Legal Entity

PromptKing Inc. · Ontario Business Corporation · Corp. No. 1001622155 · Incorporated May 25, 2026 · Registered address: Ontario, Canada · NAICS 5112 · Contact: info@promptking32.com

Infrastructure Security

Production hostingVercel — SOC 2 Type II certified, ISO 27001 certified, GDPR compliant
Database & authSupabase — SOC 2 Type II certified, HIPAA eligible, data encrypted at rest
Data in transitTLS 1.3 enforced on all connections — HSTS preload, 2-year max-age
Data at restAES-256 encryption via Supabase managed storage and Supabase Vault
DDoS & WAFVercel Edge Network — global CDN with WAF layer and rate limiting
Uptime monitoringContinuous availability monitoring with automated alerting

Credential Handling — How We Store Vendor API Keys

This is typically the first question from enterprise security teams. Here is exactly how PromptKing handles the credentials you provide to connect your AI vendor accounts.

Encrypted storageAll vendor credentials stored in Supabase Vault with AES-256 encryption at rest. Never stored in environment variables, logs, or application code.
No plaintext loggingCredentials are never written to application logs, error reports, or analytics systems.
Least-privilege scopesPromptKing requests the minimum read-only permissions required per vendor — see the scope table below.
Tenant isolationCredentials are scoped per organisation with row-level security (RLS) policies. No cross-tenant access is possible at the database layer.
Key rotationCredentials can be rotated or revoked at any time from the Connectors settings page. Revocation takes effect immediately.
No write accessPromptKing never writes to, modifies, or deletes data in your AI vendor accounts. All integrations are read-only.

Read-Only Permission Scopes — Per Vendor

These are the exact permissions PromptKing requests from each vendor, and why.

VendorPermission ScopePurpose
Anthropic ClaudeRead-only API key — usage & billing data onlyPer-seat token consumption, spend, model mix, and programmatic credit tracking
GitHub Copilotread:org, read:user, manage_billing:copilot (read)Seat list, AI credit balance, daily burn rate, model usage breakdown
Google WorkspaceAdmin SDK Reports API — read-onlyPer-user Gemini feature usage, SUR calculation, ghost seat detection
Microsoft 365Reports.Read.All, Directory.Read.All (read-only Graph)M365 Copilot seat activity, Teams/Outlook/Excel usage, licence status
AWS Bedrockce:GetCostAndUsage, bedrock:GetFoundationModel (read)Bedrock token spend, model usage, provisioned throughput utilisation
IBM WatsonxResource controller read, usage reports read-onlyRU consumption, governance scores, model drift metrics

Application Security

Row-level securityAll database queries are scoped per organisation using Supabase RLS policies. Cross-tenant data access is architecturally impossible.
Cryptographic audit logSHA-256 checksums on all data mutations — immutable audit trail available for export by org admins and external auditors.
RBAC — 6-tier hierarchyowner → admin → finops → dept_head → viewer → api_only. Role assignments are logged and auditable.
Security headersCSP, HSTS, X-Frame-Options DENY, X-XSS-Protection, Referrer-Policy strict-origin, Permissions-Policy enforced on all routes.
Auth & session securitySupabase Auth with JWT tokens, secure HttpOnly cookies, CSRF protection, and automatic session expiry.
Subprocessor transparencySee subprocessor list below — all subprocessors are contractually bound to equivalent data protection standards.

SOC 2 Type II — Roadmap & Current Controls

PromptKing's application-layer SOC 2 Type II audit is in progress. Our infrastructure subprocessors (Vercel, Supabase) are already SOC 2 Type II certified. Here is our milestone timeline.

Vercel SOC 2 Type IICertified — production hosting and edge network. Certificate available on request.
Supabase SOC 2 Type IICertified — managed database and authentication. Certificate available on request.
Security controls documentedCompleted May 2026 — access control, encryption, audit logging, incident response policies in place.
Penetration testScheduled Q3 2026 — third-party penetration test of application layer. Results shared under NDA on request.
Vanta evidence collectionIn progress — continuous compliance monitoring via Vanta. Evidence collection for application-layer SOC 2 commenced June 2026.
SOC 2 Type II application auditTarget: Q1 2027 — Type II audit covering the observation period June 2026 – December 2026.
ISO 27001Target: 2027 — planned following SOC 2 Type II completion.

Subprocessor List

PromptKing uses the following subprocessors. All are contractually bound to equivalent data protection obligations.

SubprocessorPurposeLocationCertifications
Vercel Inc.Application hosting, edge network, CI/CD deploymentUSASOC 2 Type II, ISO 27001
Supabase Inc.Database, authentication, storage, VaultUSASOC 2 Type II, HIPAA eligible
Resend Inc.Transactional email (alerts, reports)USASOC 2 Type II
PostHog Inc.Product analytics (anonymised event data only)USA / EUSOC 2 Type II
Anthropic PBCAI inference for insight blob generation (opt-in only)USASOC 2 Type II

Last updated: June 2026. Changes to this list are announced at least 30 days in advance via email to account admins.

Compliance & Standards

FOCUS 1.4 conformantFinOps Open Cost & Usage Specification — normalised AI billing export across all 8 vendors. Conformance file published at /focus-conformance.json.
GDPR — data handlingData minimisation, purpose limitation, right to erasure, and DPA available at promptking32.com/legal/dpa
PIPEDA (Canada)Compliant with Canadian federal privacy law. PromptKing Inc. is an Ontario Business Corporation.
EU AI Act — Annex IIIHigh-risk AI system classification, audit logs, and DORA Register of Information support in dashboard. Full assessment Q3 2026.
Cyber liability insuranceApplication in progress — target: covered by Q3 2026. Certificate provided to enterprise customers on request.
SSO / SAML 2.0On roadmap — target Q3 2026. Enterprise customers can request early access.
SCIM provisioningOn roadmap — target Q4 2026.

Enterprise Procurement

If your security or procurement team has specific requirements, contact us at info@promptking32.com. We can provide the following on request:

  • Vercel and Supabase SOC 2 Type II certificates
  • Architecture and data-flow diagrams
  • Penetration test results (under NDA, available Q3 2026)
  • Completed security questionnaires (SIG, CAIQ, VSAQ)
  • Data Processing Agreement (DPA) — download at /legal/dpa
  • Master Service Agreement (MSA) — contact us for enterprise MSA
  • Subprocessor DPAs on request
  • Read-only sandbox pilot with non-production or exported billing data

Incident Response & Data Retention

PromptKing maintains a documented incident response plan. The following commitments apply to all customers.

72-hour breach notificationIn the event of a confirmed personal data breach, PromptKing will notify affected customers within 72 hours of becoming aware of the incident — in line with GDPR Article 33 and PIPEDA breach reporting requirements.
Incident severity classificationAll security incidents are classified as Critical (data breach / system compromise), High (unauthorised access attempt), Medium (anomalous activity), or Low (policy violation). Critical and High incidents trigger immediate escalation.
Incident response contactsSecurity incidents: info@promptking32.com with subject 'Security Incident'. We maintain a dedicated incident response runbook reviewed quarterly.
Post-incident reportFor Critical and High severity incidents, PromptKing provides a written post-incident report to affected customers within 14 days, including root cause analysis and remediation steps.

Data Retention & Deletion

Active data retentionUsage records, seat data, and recommendations are retained for the duration of your active subscription plus 90 days after contract termination.
Billing and audit recordsFinancial records and immutable audit logs are retained for 7 years to satisfy accounting and regulatory requirements (PIPEDA, OSFI, CRA). These are stored separately from operational data.
Vendor credentialsAPI keys and OAuth tokens are deleted within 24 hours of connector removal or account termination. Supabase Vault entries are cryptographically purged — not archived.
Right to erasure (GDPR/PIPEDA)On written request to info@promptking32.com, PromptKing will delete all personal data within 30 days. Anonymised aggregate statistics and legally required audit records are excluded from erasure.
Data deletion on terminationWithin 30 days of subscription termination, all customer data is deleted from production systems. A deletion confirmation certificate is provided on request.
Backup retentionDatabase backups are retained for 30 days on a rolling basis via Supabase point-in-time recovery. Backups are encrypted at rest with the same AES-256 controls as production data.

Responsible Disclosure

If you discover a security vulnerability, please contact us before public disclosure. We commit to acknowledging all reports within 24 hours and resolving critical findings within 72 hours.

Report a vulnerability →
👑 PromptKing Inc. · Ontario Business Corporation · info@promptking32.comLast reviewed: June 2026