Security and Compliance

PromptOwl security features - encryption, role-based access control, GDPR compliance, and enterprise data isolation.

This guide explains the security features, data protection measures, and compliance capabilities built into PromptOwl for enterprise users.

---

Table of Contents

1. Security Overview

2. Authentication and Access

3. Data Encryption

4. Role-Based Access Control

5. Data Isolation

6. Consent and Privacy

7. Session Management

8. API Security

9. Enterprise Security Controls

10. Security Best Practices

11. Compliance Considerations

---

Security Overview

PromptOwl implements multiple layers of security to protect your data and ensure secure AI interactions.

Security Architecture

User Authentication
         ↓
Session Validation
         ↓
Role-Based Access Control (RBAC)
         ↓
Resource-Level Permissions
         ↓
Data Encryption
         ↓
Secure Cloud Storage

Key Security Features

Feature	Implementation
Authentication	OAuth + Credentials
Encryption	Industry-standard for sensitive data
Access Control	Role-based (RBAC)
Session Management	JWT with 7-day expiration
Data Isolation	User/team/enterprise levels
Consent Tracking	GDPR-compliant logging

---

Authentication and Access

Authentication Methods

PromptOwl supports two authentication methods:

1. Google OAuth (Recommended)

• Secure OAuth 2.0 flow

• No password stored in PromptOwl

• Automatic email verification

• Enterprise SSO integration

2. Email/Password

• Industry-standard password hashing

• Email verification required

• Secure password reset flow

Login Security

Measure	Description
Password Hashing	Industry-standard hashing algorithm
Email Verification	Required for credential login
Session Tokens	Cryptographically signed tokens
HTTPS Only	Encrypted in transit

First-Time Login

1. User signs up via OAuth or credentials

2. Email verification (if credentials)

3. Consent collection (GDPR compliance)

4. Enterprise auto-assignment (if applicable)

5. Session token issued

Screenshot: Login Security

---

Data Encryption

What's Encrypted

Data Type	Encryption
LLM API Keys	Encrypted at rest
Payment Credentials	Encrypted at rest
Passwords	Industry-standard hashing
Session Tokens	Cryptographically signed

API Key Protection

Your LLM provider API keys receive special protection:

Encryption Process:

1. User enters API key in settings

2. Key encrypted before storage

3. Encrypted value stored in database

4. Decrypted only at runtime when needed

5. Never displayed after initial save

Supported Providers:

• OpenAI

• Anthropic (Claude)

• Google Gemini

• Groq

• Grok (xAI)

Encryption Standards

Data Type	Protection
API Keys	Encrypted at rest
Passwords	Industry-standard hashing
Sessions	Cryptographically signed tokens
Network	TLS encrypted in transit

---

Role-Based Access Control

Role Hierarchy

PromptOwl uses a hierarchical role system:

Platform Admin
    ├── Full platform access
    ├── All enterprise management
    └── System configuration

Enterprise Admin
    ├── Enterprise settings
    ├── User management
    ├── Team management
    └── Feature configuration

Enterprise User
    ├── Create prompts
    ├── Access shared resources
    ├── Team collaboration
    └── Limited by settings

Regular User
    ├── Personal resources
    ├── Shared access only
    └── No admin capabilities

Resource-Level Permissions

For individual resources (prompts, artifacts, conversations):

Role	View	Edit	Delete	Share
Owner	Yes	Yes	Yes	Yes
Editor	Yes	Yes	No	Yes
Viewer	Yes	No	No	No
User	Yes	No	No	No

Permission Checks

Every action verifies:

1. User is authenticated

2. User has appropriate role

3. User has access to specific resource

4. Enterprise settings allow the action

Checking Your Permissions

Your effective permissions depend on:

• Your platform role

• Your enterprise role (if applicable)

• Your team memberships

• Direct sharing to your email

---

Data Isolation

Multi-Level Isolation

PromptOwl ensures data separation at multiple levels:

User Level:

• All queries filter by user ID

• Personal data never visible to others

• API keys tied to individual accounts

Team Level:

• Team resources visible only to members

• Role determines access within team

• Team ownership tracked

Enterprise Level:

• Enterprise data isolated by subdomain

• Cross-enterprise access blocked

• Settings apply per-enterprise

Isolation Implementation

Resource	Isolation Method
Conversations	userId filter + sharing
Prompts	userId + teams + sharedWith
Artifacts	owner field + folder permissions
API Keys	userId (one-to-one)
Settings	enterpriseId

Cross-Tenant Protection

• Subdomain-based access control

• Enterprise membership validation

• Blocked subdomains list maintained

• Middleware enforces boundaries

---

Consent and Privacy

GDPR Compliance Features

PromptOwl tracks user consent for privacy compliance:

Consent Data Captured:

• Consent timestamp

• User's IP address

• Policy versions accepted

• Consent update history

Policy Tracking

Policy	Version Format
Terms of Use	YYYY-MM-DD
Privacy Policy	YYYY-MM-DD
End User License Agreement	YYYY-MM-DD
AI Policy	YYYY-MM-DD
Cookie Policy	YYYY-MM-DD
Disclaimer	YYYY-MM-DD

Consent Flow

1. User registers or logs in

2. System checks for valid consent

3. If no consent or outdated policies:

   • Consent modal displayed

   • User must accept to continue

4. Consent data stored with timestamp and IP

5. Session token includes consent status

User Data Rights

Right	Implementation
Access	Users can view their data
Portability	Export prompts as JSON
Rectification	Edit profile and data
Erasure	Soft delete with isDeleted flag

Screenshot: Consent Dialog

---

Session Management

Secure Sessions

PromptOwl uses secure session management:

Property	Value
Strategy	Token-based
Duration	7 days
Signing	Server-side secret
Storage	HTTP-only cookies

Session Data

Your session token contains:

• User ID and email

• Platform role

• Enterprise memberships

• Consent status

• User preferences

Session Security

Measure	Purpose
HTTP-only cookies	Prevent XSS access
Secure flag	HTTPS only
Expiration	Auto-logout after 7 days
Secret rotation	Admin-controlled

Session Invalidation

Sessions end when:

• Token expires (7 days)

• User logs out

• Password changed (credential users)

• Admin revokes access

---

API Security

Authentication Methods

API requests require authentication:

Session-Based (Web):

• JWT token in cookies

• Automatic with browser requests

API Key (Programmatic):

• X-API-Key header

• Generated per-prompt

• Tied to user account

Protected Endpoints

All API routes validate:

1. Authentication present

2. User exists and active

3. Permission for requested action

4. Rate limits not exceeded

CORS Configuration

Setting	Value
Origin	Configured per environment
Methods	GET, POST, PUT, DELETE
Headers	Content-Type, Authorization
Credentials	Allowed

API Best Practices

Do:

• Use HTTPS exclusively

• Include authentication headers

• Handle errors gracefully

• Log API usage

Don't:

• Share API keys

• Expose keys in client code

• Ignore rate limits

• Skip error handling

---

Enterprise Security Controls

Feature Toggles

Enterprise admins can control security-related features:

Feature	Security Impact
showShareButton	Enable/disable sharing
showModelSwitcher	Restrict model access
showMemory	Control context retention
autoAddUsersToTeam	Automatic team membership

Enterprise Settings

Setting	Description
Active Status	Enable/disable enterprise
Default Prompt	Restrict to specific prompt
Feature Flags	Control available features
Team Auto-Add	Automatic membership

Subdomain Security

• Each enterprise has unique subdomain

• Users restricted to their subdomain

• Cross-subdomain access blocked

• Admin override capabilities

Team Management

Control	Description
Member Roles	Assign appropriate access
Team Deletion	Remove all team access
Role Changes	Audit trail of changes
Email Verification	Required for team invites

---

Security Best Practices

For Users

Account Security:

• Use strong, unique passwords

• Enable OAuth when possible

• Review account activity

• Report suspicious access

API Key Management:

• Rotate keys periodically

• Don't share keys

• Use separate keys per environment

• Monitor usage in provider dashboards

Data Handling:

• Don't input sensitive data in prompts

• Review shared resource access

• Use appropriate team roles

• Clear unused conversations

For Administrators

Enterprise Configuration:

• Review feature toggles regularly

• Audit user access periodically

• Monitor for unusual activity

• Keep enterprise settings current

Team Management:

• Assign minimum necessary permissions

• Remove departed employees promptly

• Review team memberships quarterly

• Document access decisions

Security Monitoring:

• Review sharing activity

• Monitor API usage

• Check for deprecated models

• Validate consent compliance

Security Checklist

Account Level:

• Strong password or OAuth

• Email verified

• Consent given

• API keys encrypted

Enterprise Level:

• Feature toggles reviewed

• Teams properly configured

• User roles appropriate

• Sharing settings correct

---

Compliance Considerations

Built-In Compliance Features

Feature	Compliance Purpose
Consent tracking	GDPR Article 7
IP logging	Audit trail
Policy versioning	Consent validity
Data export	Right to portability
Soft deletion	Data retention

Data Residency

• Data stored in MongoDB Atlas

• Region determined by cluster location

• Contact support for specific requirements

Audit Capabilities

Capability	Status
Consent logs	Available
Login tracking	Via session timestamps
Data modification	Via updatedAt fields
Access logs	Limited

Compliance Responsibilities

PromptOwl Provides:

• Encryption infrastructure

• Access control systems

• Consent management

• Data isolation

Customer Responsible For:

• User training

• Policy enforcement

• Compliance documentation

• Incident response

Industry Standards

PromptOwl implements security practices aligned with:

• OWASP Top 10 mitigations

• SOC 2 Type II principles

• ISO 27001 controls

• GDPR requirements

Note: For specific compliance certifications or attestations, contact PromptOwl support.

---

Quick Reference

Security Features Summary

Layer	Protection
Network	HTTPS/TLS
Authentication	OAuth + secure hashing
Authorization	RBAC
Data at Rest	Encrypted
Sessions	JWT + expiration
Multi-tenancy	Subdomain isolation

Contact for Security

For security concerns:

• Report vulnerabilities to security@promptowl.ai

• Contact support for compliance questions

• Review documentation for best practices

---

Related Guides

• Enterprise Setup and White-Label

• Adding and Managing Users

• API Keys and Model Configuration