Security

1. Our Commitment

Prago holds OAuth access to your advertising accounts and analytics data. That is a high-trust position. Our security practices are designed around that responsibility — not as an afterthought, but as a core design constraint.

This page describes what we do to protect your data and what you can expect from us. It is intentionally written at a principles level rather than listing specific tools or configurations — security through transparency of commitment, not transparency of implementation.

Questions? security@prago.io

2. Infrastructure

2.1 Hosting

Prago runs on enterprise-grade cloud infrastructure in the United States, operated by a major cloud provider with ISO 27001, SOC 2 Type II, and FedRAMP certifications. All infrastructure is provisioned with the principle of least privilege and is not publicly exposed beyond what is strictly required to serve the application.

2.2 Encryption

• In transit: All data is transmitted over encrypted connections (TLS). We enforce HTTPS site-wide with strict transport security policies.
• At rest: All stored data — including databases, backups, and file storage — is encrypted at rest using industry-standard symmetric encryption (AES-256).
• OAuth tokens: Third-party platform tokens (Google, Meta, LinkedIn, etc.) receive a second layer of application-level encryption on top of storage-level encryption. They are decrypted only in memory during active task execution, never logged in plaintext.
• Secrets: Application credentials and API keys are stored in a dedicated secrets management system — never in source code or unencrypted configuration files.

2.3 Network Controls

• All internal components communicate over a private network; databases and internal services are not accessible from the public internet
• Web Application Firewall protection is in place for all public endpoints
• DDoS mitigation is active at the infrastructure level
• Rate limiting is enforced on authentication and API endpoints
• All API activity is logged and retained for security monitoring

3. Application Security

3.1 Authentication

• Passwords: Stored as salted cryptographic hashes — we never store or transmit plaintext passwords
• Sessions: Sessions are cryptographically signed and rotate regularly. Tokens are invalidated on logout and suspicious activity
• Multi-factor authentication (MFA): TOTP-based MFA is available for all accounts. We strongly recommend enabling it
• Third-party platform access: Exclusively via OAuth 2.0 — we never ask for or store your platform passwords
• Account lockout: Repeated failed login attempts trigger an automatic lock and email alert to the account owner

3.2 Access Control

• Role-based access control is enforced at every API endpoint
• Prago employees have no access to customer account data by default
• Any support access to your account requires your explicit consent, is time-limited, and is fully logged
• Production system access for engineers requires MFA, VPN, and explicit authorization with regular access reviews

3.3 Secure Coding Practices

• All database queries use parameterized statements to prevent injection attacks
• User-supplied content is sanitized before rendering to prevent cross-site scripting (XSS)
• All code changes are peer-reviewed before merging to production
• Automated vulnerability scanning runs on every code change, including dependency checks
• AI prompt construction uses structured templating — not raw string concatenation with user input — to mitigate prompt injection risks

4. Data Handling

4.1 Tenant Isolation

Each account's data is strictly isolated at the data layer. Queries are designed to enforce this at the database level, not just the application level — one account cannot inadvertently or maliciously access another account's data.

4.2 OAuth Token Lifecycle

• Tokens are used only for the specific operations required by your authorized tasks
• Refresh tokens are rotated on each use where the connected platform supports it
• On integration disconnection or account deletion, tokens are immediately purged from our systems and we trigger platform-level revocation where available

4.3 AI Inference

• Prompts sent to our AI provider are scoped to the minimum context required for the task
• Our agreement with our AI provider explicitly prohibits use of our prompts for their model training
• Sensitive credentials and PII are excluded from AI prompts by design

4.4 Backups and Retention

• Database backups run automatically on a daily schedule
• Backups are encrypted and stored separately from the primary environment
• Backup restoration procedures are tested on a regular cadence
• On account deletion, all personal data is purged within 30 days per our Privacy Policy

5. Operational Security

5.1 People and Processes

• Security awareness training is mandatory for all team members upon hire and annually
• All employee devices have full-disk encryption and are managed under an MDM policy
• All company accounts enforce SSO with MFA
• Access is revoked immediately upon offboarding

5.2 Monitoring

• Logs are centralized and monitored for anomalous patterns — unusual access times, data export spikes, repeated authentication failures
• Infrastructure and application health is monitored continuously
• Security events generate automated alerts to our on-call team

5.3 Incident Response

We maintain a documented incident response process. In a confirmed security incident:

• Affected systems are isolated immediately upon confirmation
• Scope and affected accounts are assessed
• If your personal data is involved, we will notify you within 72 hours as required by law
• A post-incident review is conducted and controls are updated to prevent recurrence

6. Compliance

• SOC 2 Type II: In progress. Our controls are designed to meet SOC 2 Trust Service Criteria.
• GDPR: Data Processing Agreements are in place with all sub-processors. See our Privacy Policy — GDPR section for full details.
• CCPA / CPRA: We comply with California privacy requirements. See our Privacy Policy.
• PCI DSS: Prago does not process or store payment card data. All payments are handled by a PCI DSS Level 1 certified payment processor.

Enterprise customers may request security questionnaire responses and (once available) our SOC 2 report under NDA: security@prago.io

7. Responsible Disclosure

Security researchers who follow responsible disclosure are protected from legal action by us. To report a vulnerability:

• Email security@prago.io with steps to reproduce and estimated impact
• We will acknowledge within 24 hours and provide a status update within 5 business days
• Do not access or alter user data beyond what is necessary to confirm the issue
• Do not disclose publicly until we have shipped a fix — we will keep you informed of progress

We recognize researchers publicly in our security acknowledgments and assess case-by-case goodwill rewards for significant findings.

8. Contact