Trust.

Prompt Assay does not train, fine-tune, or otherwise use any of your content to improve a machine learning model. There is no training pipeline in the platform. Your prompts are used only to operate the workbench you signed up for. Documented in section 5 of the privacy policy.

Provider responses are not retained on our servers, with two named exceptions: evaluation test outputs are saved with each test case so you can review your run history, and Skills Behavioral Eval results (model output + judge verdict per probe-and-model cell) are persisted so you can save and share a Skill Report. Playground runs, in-editor AI actions (critique, improve, rewrite, brainstorm, compare), and brainstorm chat history are cached in your browser and never persisted server-side. Prompt Assay stores prompt text, skill bundles, version metadata, fragments, annotations, and the test cases you create.

A Skills Behavioral Eval runs N probes × M models on your provider keys. Every cell, including the inner judge call that scores activation and adherence, routes through your BYOK keys. We never proxy that traffic, never aggregate it for our own use, never sample it for training. Provider bills land on your provider account exactly the same way prompt critique and the multi-model Playground compare do.

Provider API keys are encrypted at rest. They never leave the server, never appear in logs, and are only used to make the LLM call you triggered.

Every database query is scoped to your organization. Row-level enforcement is applied at the database layer in addition to the application layer.

Owner, admin, and member roles. Owners control billing and dangerous actions. Admins manage members and shared content. Members read and write within the workspace.

Available on the Enterprise tier. Bring your own identity provider and enforce sign-in through it.

DPA available on the Enterprise tier. Covers GDPR Article 28 processor obligations.

Prompt Assay does not currently hold SOC 2 or ISO 27001 attestations. We will pursue formal certification when our customer mix requires it. In the meantime, the controls listed above are in place and can be evidenced on request via the security contact below.