Security

AI & Data Security

Last updated: March 2026

ProofPoints is built for teams that handle sensitive customer relationships, proprietary brand assets, and confidential business information. We understand that trusting a platform with your advocacy content - especially one that uses AI - requires clarity about exactly what happens to your data.

This page explains our commitments in plain language. No vague reassurances; specific, verifiable practices.

Our core promise

Your content, your customers, your brand assets, and your competitive intelligence are never used to train AI models, never shared with other organisations, and never accessible to anyone outside your team.

Security commitments

Your content is never used for AI training

Every AI request ProofPoints makes on your behalf uses API endpoints with explicit training opt-out enforced. Your stories, transcripts, interviews, brand guidelines, and customer data are never used to train, fine-tune, or improve any AI model. Content is processed and returned; nothing is retained by the model provider beyond the request lifecycle.

Your data stays yours

You own your content. ProofPoints processes it on your instruction to generate stories, score brand compliance, translate transcripts, and perform other tasks you initiate. We do not access, read, or use your content for any purpose other than delivering the service you requested. If you delete your data, it is deleted.

Complete tenant isolation

Every organisation on ProofPoints operates in a fully isolated environment. Your stories, contacts, companies, brand guidelines, transcripts, and all associated data are invisible to every other organisation. This isolation is enforced at the database level with row-level security policies, not just application logic.

Your customer relationships are protected

Advocate names, company names, interview recordings, and contact details are stored exclusively within your tenant. They are never shared, aggregated, anonymised for analytics, or made available to other customers. Your customer relationships are your competitive advantage; we treat them accordingly.

EU data residency

Your data is stored in EU data centres. All data at rest is encrypted using AES-256 encryption. All data in transit is protected with TLS 1.2 or higher. Database backups are encrypted and stored in the same region.

Access control and authentication

ProofPoints uses passwordless authentication via magic links, eliminating the risk of password breaches. Role-based access control enforces permissions at every API endpoint: viewers can read, members can create and edit, admins can manage, owners can configure. Every action is permission-checked server-side.

Comprehensive audit logging

Every significant action on the platform is logged with the user, timestamp, IP address, and details of the change. Audit logs are retained for a minimum of two years. This provides a complete trail for compliance reviews, incident investigation, and governance requirements.

Secure by design

Security headers are enforced on every response (content type protection, frame denial, strict referrer policy). All user input is validated and sanitised. Database error details are never exposed to clients. API keys and credentials are stored as encrypted environment variables, never in code.

Compliance and governance

ProofPoints is built on SOC 2-aligned security principles: tenant isolation, role-based access control, encryption at rest and in transit, comprehensive audit logging, input validation, and secure credential management.

We are committed to achieving formal SOC 2 Type II certification as the platform scales. In the meantime, our architecture, code practices, and operational procedures are designed to meet these requirements from day one, not retrofitted later.

For organisations that require specific security documentation, a Data Processing Agreement (DPA), or detailed compliance information, please contact hello@proofpoints.com.

How AI is used in ProofPoints

AI is used for specific, user-initiated tasks. It does not run in the background, does not make autonomous decisions, and does not access data you have not explicitly provided for that task.

Story generationTransforms interview transcripts into written content based on your brand guidelines and asset type configuration.

Brand scoringEvaluates generated content against your brand voice, messaging, and terminology guidelines.

Content reworkRevises content based on specific improvement areas you select.

TranscriptionConverts audio and video recordings into text with speaker identification.

TranslationTranslates transcripts and finished stories into 30+ languages.

Image generationCreates hero images for stories based on your brand visual context.

Company enrichmentResearches publicly available company information to populate company profiles.

In every case, AI processing happens via secure API calls. Your content is sent, processed, and the result returned. No content is stored by the AI provider. No content is used for training. The AI provider sees only the specific input you provided for that specific task.

Administrator control

Tenant administrators have full visibility and control over AI configuration:

✓

Choose which AI models are used for each task (writing, scoring, translation, image generation)

✓

View and edit every prompt template the AI uses - nothing is hidden

✓

Configure brand guidelines that constrain AI output

✓

Review audit logs of all AI-assisted actions

✓

Control user roles and permissions for who can generate, edit, and publish

Security questions?

If you have questions about our security practices, need a DPA, or require specific compliance documentation for your organisation, contact hello@proofpoints.com