How we protect your data and your clients' data.

We're not a bank, but we treat your data like one. Here's exactly what we do.

Infrastructure

Propella runs on Vercel (hosting) and Supabase (database). Both use AWS infrastructure with SOC 2 Type II certification. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Payments

All payment processing is handled by Stripe. We never store card numbers, CVVs, or full payment details. Stripe is PCI DSS Level 1 certified — the highest level available.

AI generation

We use the OpenAI API for proposal generation. Per OpenAI API terms, content sent via API is not used to train their models. Your proposals stay yours.

Access control

• →Passwords are hashed using bcrypt, never stored in plain text
• →Sessions expire after inactivity
• →2FA available on all accounts — we recommend enabling it
• →Team accounts have role-based permissions — members can't access billing or export data unless you grant it

What we're working on

• →SOC 2 Type II audit (in progress, target Q4 2025)
• →SSO / SAML for Studio plan
• →Dedicated EU data residency option

Found a vulnerability?

Responsible disclosure: hello@propella.app with subject "Security". We'll respond within 24 hours and credit you if you'd like.

Last updated: June 2025.