Trust.

PromptAssay does not train, fine-tune, or otherwise use any of your content to improve a machine learning model. There is no training pipeline in the platform. Your prompts are used only to operate the workbench you signed up for. Documented in section 5 of the privacy policy.

Provider responses are not retained on our servers, with one named exception: evaluation test outputs are saved with each test case so you can review your run history. Playground runs, in-editor AI actions (critique, improve, rewrite, brainstorm, compare), and brainstorm chat history are cached in your browser and never persisted server-side. PromptAssay stores prompt text, version metadata, fragments, annotations, and the test cases you create.

Provider API keys are encrypted at rest. They never leave the server, never appear in logs, and are only used to make the LLM call you triggered.

Every database query is scoped to your organization. Row-level enforcement is applied at the database layer in addition to the application layer.

Owner, admin, and member roles. Owners control billing and dangerous actions. Admins manage members and shared content. Members read and write within the workspace.

Available on the Enterprise tier. Bring your own identity provider and enforce sign-in through it.

DPA available on the Enterprise tier. Covers GDPR Article 28 processor obligations.

PromptAssay does not currently hold SOC 2 or ISO 27001 attestations. We will pursue formal certification when our customer mix requires it. In the meantime, the controls listed above are in place and can be evidenced on request via the security contact below.