Proparion
Security & Trust Center

Your proposals are your competitive edge. We treat them that way.

Pricing, client lists, methodology — losing one proposal can wipe out years of work. This page documents exactly how Proparion protects what you put in it.

Last reviewed: 10 May 2026

Frameworks & standards we align with

DPDP Act 2023India — aligned
GDPREU — DPA-ready
OWASP Top 10Hardened against
India residencyMumbai (AP-South-1)

ISO 27001:2022 and SOC 2 Type II are on our roadmap, pursued when real customer demand justifies the spend. Today we do not hold either certification — but we inherit substrate security from our certified providers (Vercel, Supabase, OpenAI, Dodo, all SOC 2 / ISO 27001 attested). Email hello@proparion.com if you need a specific certification timeline for your procurement.

How we protect your data

Concrete controls, not marketing promises. Every claim below is verifiable in our codebase or via a third-party scan.

Per-organisation isolation

Postgres Row-Level Security on every table. Customer A's data is database-level unreadable to Customer B — even our own engineers query through the same boundary.

Encrypted in transit and at rest

TLS 1.2+ in flight (HSTS preload). AES-256 at rest on Postgres + object storage. File URLs are signed + short-lived.

Zero-retention AI

OpenAI runs under enterprise zero-retention terms. Your proposals are processed in-memory and discarded — never used to train shared models.

Hosted in Mumbai (AP-South-1)

Database, storage, embeddings all in India. Lower latency, lower legal friction, DPDP-Act-aligned data residency.

Granular access & audit

Owner / Admin / Editor / Viewer roles. Token-based invites that expire in 14 days. Every action recorded in an immutable audit log.

Export & delete on demand

Pull every proposal, draft, and chunk back out at any time. Closing your account permanently deletes embeddings, files, and metadata.

Defence-in-depth headers

Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP — verified live by SecurityHeaders.com.

Signed webhooks

Every payments webhook is HMAC-SHA256 signed (Standard Webhooks spec) + timestamp-bound. Replays + spoofs are rejected at the edge.

1. Infrastructure

Proparion runs on managed cloud infrastructure operated by providers with their own SOC 2 / ISO 27001 attestations. You inherit the substrate-level security from these:

  • Vercel (web hosting + edge functions) — primary edge in Mumbai (BOM1) for Indian users.
  • Supabase (Postgres + storage + auth) — AP-South-1 Mumbai region for all customer data.
  • OpenAI (LLM inference) — under enterprise zero-retention terms; your content is processed in-memory and not retained for training.
  • Dodo Payments (Merchant of Record) — PCI-DSS Level 1; we never touch card numbers.

2. Encryption

In transit: TLS 1.2+ on every connection. Strict-Transport-Security with max-age=63072000; includeSubDomains; preload — browsers refuse plaintext HTTP to any proparion.com subdomain for two years after first visit.

At rest: AES-256 (Supabase + Vercel managed encryption keys). File-storage URLs are signed and time-limited — no public download links.

Embeddings: 1024-dimensional vectors of your proposal content are stored alongside the source text in the same encrypted Postgres database, never exported.

3. Tenant isolation

Every Proparion table has Postgres Row-Level Security (RLS) enforced at the database level — not in application code. Every row carries an org_id; every query is automatically scoped to current_org_id() derived from the authenticated session JWT.

What this means: even if our application code had a bug, Postgres itself would refuse to return one customer's data to another customer's session. Storage buckets are folder-isolated by org UUID with the same RLS policy pattern.

4. Authentication

  • Sign-in: Google OAuth 2.0 + email/password with bcrypt hashing (Supabase Auth defaults).
  • Sessions: HttpOnly + Secure + SameSite-Lax cookies; rotated on every login.
  • Two-factor auth (2FA): available on request — opening up natively for all users in our next release. Email hello@proparion.com to enable for your account today.
  • Service-role secrets live only on the server. They never reach the browser, are never logged, and are not in any JavaScript bundle (verifiable by inspecting the public client bundle at view-source).

5. Audit logs

Every state-changing action (proposal upload, draft edit, share-link create/revoke, settings change, member action, export, delete) is recorded in an append-only audit_logs table with: actor, organisation, action, resource type/id, IP address, user-agent, and timestamp.

Customers can request an audit-log export for their organisation any time — useful for SOC 2 / ISO 27001 evidence in your own audits.

6. Data residency

Customer data — proposals, RFPs, generated drafts, embeddings, branding, billing records — lives in Mumbai (AP-South-1) exclusively.

Some processing (AI inference via OpenAI; edge functions on Vercel) may transit through North-American or European data centres at request time, governed by Standard Contractual Clauses or equivalent safeguards. No customer content is persisted outside India.

7. Vulnerability disclosure

If you discover a security issue in Proparion, please report it to hello@proparion.com with subject "Security". We'll acknowledge within 48 hours and aim to patch critical issues within 7 days.

Our public disclosure policy lives at /.well-known/security.txt.

8. Incident response

In the event of a confirmed security incident affecting customer data, we will:

  • Notify affected customers within 72 hours (DPDP / GDPR-compliant timeline).
  • Provide a detailed post-mortem describing the incident, scope, remediation, and preventive measures.
  • Cooperate with customer-side investigations and audits.
  • Notify the relevant Data Protection authority (the Indian DPB once operational; regional authorities for cross-border data) as legally required.

9. Privacy & data rights

You retain ownership of all content you upload or generate in Proparion. Under DPDP Act 2023 (India), GDPR (EU/UK), and equivalent local laws elsewhere, you can:

  • Access the data we hold about you.
  • Export it in a portable format.
  • Correct inaccuracies.
  • Erase it (the "right to be forgotten").
  • Withdraw consent or restrict processing.
  • Receive notice of any sub-processor changes 30 days in advance.

Read the full Privacy Policy for legal-grade detail, or the Data Processing Addendum (DPA) for B2B contractual terms.

10. Subprocessors

A complete, up-to-date list of every third party who processes customer data on our behalf is maintained at /subprocessors. We give 30-day written notice (via email + this page) before adding a new subprocessor that processes customer content.

11. Backups & availability

Postgres point-in-time recovery (PITR) is enabled on Supabase with 7-day rolling history. File storage is replicated within the AP-South-1 region. Daily snapshots are retained for 90 days.

We commit to commercially reasonable efforts for high availability but do not currently publish a formal SLA; paying enterprise customers can request a written SLA in their order form.

12. Get in touch

For procurement, security questionnaires (SIG / CAIQ / custom), DPA requests, or anything else security or privacy related:

hello@proparion.com

We typically respond to security questionnaires within 3 business days.