PromptManpromptman

Security at PromptMan.dev

Last updated: November 30, 2025

Security is a core part of PromptMan.dev.

We operate as prompt infrastructure for production AI systems, and we take the protection of your data and workloads seriously.

This page summarizes our current security practices.

1. Infrastructure & Hosting

Primary hosting

PromptMan.dev is hosted on Amazon Web Services (AWS) in the European Union (eu-central-1, Frankfurt).

All data remains within the EU unless explicitly configured otherwise.

Infrastructure isolation

Each workspace's data is logically isolated.

Runtime API keys are scoped at the workspace level.

Future EU-sovereign hosting

We plan to support additional EU-only hosting environments (e.g., Hetzner, Ionos) for organizations requiring strict digital sovereignty.

2. Data Security

Encryption

  • In transit: All data is encrypted via HTTPS/TLS 1.2+.
  • At rest: All databases, backups, and object storage are encrypted.

Data minimization

We do not store:

  • LLM inputs
  • LLM outputs
  • End-user chat messages
  • Sensitive user-generated content

Runtime usage logs contain only the metadata required for billing, debugging, and system stability.

Backups

  • Automated daily backups of core databases
  • Encrypted and stored in the same region
  • Regularly tested for restoration integrity

3. Application Security

Authentication

  • Email/password authentication with hashed passwords (bcrypt or Argon2)
  • Optionally, invite-based access for workspace members
  • Workspace-scoped roles (owner, member)

API Key Security

  • API keys are scoped per workspace
  • Keys can be rotated at any time
  • Keys grant access only to runtime prompt fetching for that workspace

Isolation Guarantees

A tenant's API key can never access:

  • another workspace
  • another app
  • another prompt
  • another environment

This is enforced at the database and application levels.

4. Development Practices

Secure coding practices

  • Code reviewed before deployment
  • No direct database access exposed to the internet
  • Strict validation on all user inputs
  • Regular dependency updates and vulnerability scans

Secrets management

All sensitive configuration is stored encrypted using AWS Secrets Manager or environment injection during deploy

No secrets are stored in source code

CI/CD

  • Automated build & deploy pipeline
  • Static analysis and linting
  • Unit/integration tests for critical runtime paths

5. Network & Operational Security

Firewalls & Access Control

  • No public access to internal databases
  • Only the application servers can access data stores
  • SSH access disabled (strict config-as-code deployments)

Monitoring

  • Error rate and latency monitoring
  • Health checks for API and DB connectivity
  • Runtime prompts resolution monitoring
  • Alerting for outages or anomalies

Logging

We log only what is necessary for:

  • debugging
  • abuse detection
  • billing accuracy

We do not log prompt contents fetched by your app.

6. Incident Response

We follow a standard incident response process:

  • Identification
  • Containment
  • Eradication
  • Recovery
  • Post-incident review

If an incident impacts your workspace, we will notify you promptly via email.

7. Responsible Disclosure

If you discover a vulnerability, please report it responsibly.

Security contact: security@promptman.dev

We will acknowledge and investigate all legitimate reports.

Do not test vulnerabilities on other customers' data or attempt to access other workspaces.

8. Compliance

While PromptMan.dev is not yet formally certified under frameworks (e.g., ISO 27001, SOC2), our architecture and operational approach follow common best practices.

We are committed to supporting:

  • GDPR compliance
  • EU data residency requirements
  • Customer DPIAs (Data Protection Impact Assessments)

A formal DPA (Data Processing Agreement) is available upon request.

9. Model & AI Provider Interactions

PromptMan.dev does not send your prompts or any runtime content to third-party AI providers.

Your application interacts with LLMs directly.

PromptMan.dev exists as an infrastructure layer between your code and your prompts.

We do not:

  • inspect prompt content
  • use prompt data for training
  • share data with model providers
  • persist LLM content

10. Contact Us

For security questions, disclosures, or requests:

Email: security@promptman.dev