Security

Our Security Commitment

At Prompt Repo, we take security seriously. We implement industry-standard security measures to protect your data, API keys, and content. This page outlines our security practices, infrastructure, and the measures we take to keep your information safe.

Security is an ongoing process, and we continuously review and improve our security practices to address emerging threats and maintain the highest standards of protection.

Data Encryption

API Key Encryption

Your OpenRouter API keys are protected using strong encryption:

• Algorithm: AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode)
• Encryption at Rest: API keys are encrypted before being stored in our database
• Decryption: Keys are only decrypted in memory when needed for API calls to OpenRouter
• Key Management: Encryption keys are stored securely and never exposed in logs or error messages
• Fingerprinting: We display only a fingerprint (partial preview) of your API key for identification purposes

Data in Transit

All data transmitted between your browser and our servers is protected:

• HTTPS/TLS: All connections use Transport Layer Security (TLS) 1.2 or higher
• Certificate Validation: We use valid SSL/TLS certificates from trusted Certificate Authorities
• Secure Protocols: We support only secure cryptographic protocols
• API Communications: All API calls to third-party services (OpenRouter, WorkOS, Stripe) are made over HTTPS

Database Encryption

Our database is hosted on Neon, which provides:

• Encryption at rest for all stored data
• Encrypted connections between our application and the database
• Regular security updates and patches
• Compliance with industry security standards

Session Tokens

Your authentication sessions are secured using:

• JWT Tokens: JSON Web Tokens signed with a secret key
• Expiration: Sessions expire after 7 days of inactivity
• Secure Storage: Tokens are stored in HttpOnly cookies, preventing JavaScript access
• Secure Flag: Cookies are only sent over HTTPS in production

Authentication Security

WorkOS Authentication

We use WorkOS for secure authentication, which provides:

• Industry-standard authentication protocols (OAuth 2.0, OIDC)
• Support for multiple authentication methods (email/password, magic links, OAuth providers)
• Secure session management
• Protection against common attacks (brute force, credential stuffing)
• Compliance with security best practices

Session Management

Our session management includes:

• HttpOnly Cookies: Session cookies cannot be accessed via JavaScript, protecting against XSS attacks
• Secure Cookies: Cookies are only transmitted over HTTPS in production
• SameSite Protection: Cookies use SameSite=Lax to protect against CSRF attacks
• Automatic Expiration: Sessions expire after 7 days of inactivity
• Logout Functionality: You can log out at any time, which invalidates your session

Password Security

When using email/password authentication (handled by WorkOS):

• Passwords are hashed using industry-standard algorithms
• We never store or have access to your plain-text password
• Password requirements are enforced (minimum length, complexity)
• Account lockout protection after multiple failed login attempts

Access Controls

User Authentication

Access to Prompt Repo requires:

• Valid user account with verified email address
• Successful authentication through WorkOS
• Active session token
• Account must not be deleted or suspended

Team-Based Access Controls

Team collaboration features include:

• Team Membership: Only team members can access team content
• Role-Based Permissions: Team owners have additional permissions (invite members, manage API keys, delete team)
• Content Isolation: Prompts and experiments are isolated by team
• API Key Access: Team API keys are only accessible to team members

API Key Access Controls

API key usage is controlled by:

• Only the account owner can view or modify their personal API keys
• Team API keys are accessible only to team members
• API keys are never exposed in URLs, logs, or error messages
• API keys are encrypted at rest and only decrypted when needed

Infrastructure Security

Database Hosting (Neon)

Our database is hosted on Neon, which provides:

• Managed PostgreSQL with automatic updates and patches
• Encryption at rest and in transit
• Automated backups with point-in-time recovery
• Network isolation and firewall protection
• Compliance with SOC 2 Type II and other security standards

Application Hosting (Vercel)

Our application is hosted on Vercel, which provides:

• Global CDN for fast and secure content delivery
• Automatic HTTPS with valid SSL certificates
• DDoS protection and mitigation
• Isolated serverless functions
• Regular security updates and patches

Network Security

Our network security measures include:

• Firewall protection to restrict unauthorized access
• DDoS protection to mitigate denial-of-service attacks

Data Protection

Data Minimization

We follow data minimization principles:

• We only collect data necessary to provide our service
• We do not collect unnecessary personal information
• We delete or anonymize data when it is no longer needed
• API keys are encrypted and only decrypted when needed

Secure Data Storage

Your data is stored securely:

• All data is encrypted at rest in our database
• Sensitive data (API keys) uses additional encryption (AES-256-GCM)
• Data is stored in secure, access-controlled databases

Backups

We maintain regular backups of your data:

• Automated daily backups of all data
• Point-in-time recovery capabilities
• Backups are encrypted and stored securely
• Regular testing of backup restoration procedures

Data Retention

We retain your data according to our data retention policy:

• Active accounts: Data is retained while your account is active
• Deleted accounts: Accounts are soft-deleted but data may be retained for team collaboration
• You can request complete data deletion by contacting us
• Legal requirements: We may retain certain data longer if required by law

Third-Party Security

WorkOS

We use WorkOS for authentication, which maintains:

• SOC 2 Type II compliance
• GDPR compliance
• Regular security audits and penetration testing
• Industry-standard security practices

Privacy Policy: https://workos.com/legal/privacy-policy

Stripe

We use Stripe for payment processing, which maintains:

• PCI DSS Level 1 compliance (highest level of payment security)
• Encryption of all payment data
• Regular security audits and assessments
• Fraud detection and prevention

Security Information: https://stripe.com/docs/security

OpenRouter

We use OpenRouter as a gateway to LLM providers. When you use OpenRouter API keys:

• Your prompts and inputs are sent to OpenRouter and then to LLM providers
• OpenRouter maintains security practices for API key protection
• You are responsible for complying with OpenRouter's terms of service

Privacy Policy: https://openrouter.ai/privacy

Incident Response

If a security incident affects your data, we will:

• Notify you via email within 72 hours of becoming aware of the incident
• Provide details about what happened and what data may have been affected
• Explain the steps we are taking to address the incident
• Comply with applicable data breach notification laws

Compliance

GDPR

We are committed to compliance with the General Data Protection Regulation (GDPR):

• We respect your data protection rights (access, deletion, portability, etc.)
• We implement appropriate technical and organizational measures

Industry Standards

We follow industry best practices and standards:

• OWASP Top 10 security guidelines
• Secure coding practices

Security Best Practices for Users

Account Security

To help keep your account secure:

• Use a strong password: Choose a unique, complex password for your account
• Don't share credentials: Never share your account password or API keys with others
• Enable two-factor authentication: If available through WorkOS, enable 2FA for additional security
• Log out when finished: Especially when using shared or public computers
• Monitor your account: Regularly review your account activity and team memberships

API Key Protection

Protect your OpenRouter API keys:

• Keep keys private: Never share your API keys publicly or in code repositories
• Use team keys carefully: Only share team API keys with trusted team members
• Rotate keys regularly: Consider rotating your API keys periodically
• Monitor usage: Regularly check your API usage and costs on OpenRouter
• Revoke compromised keys: If you suspect a key is compromised, revoke it immediately and create a new one

General Security Tips

• Keep your browser and operating system up to date
• Use a reputable antivirus and anti-malware software
• Be cautious of phishing attempts (we will never ask for your password via email)
• Only access Prompt Repo from trusted networks and devices
• Review team memberships regularly and remove inactive members

Reporting Security Issues

If you discover a security vulnerability or have concerns about security, please report it to us immediately:

• Email: contact@prompt-repo.com

Please include:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Any suggested fixes or mitigations

We take security reports seriously and will respond promptly. We ask that you:

• Act in good faith and avoid accessing or modifying data you don't own
• Keep the vulnerability confidential until we have addressed it
• Give us reasonable time to fix the issue before public disclosure

Contact for Security Concerns

For security-related questions or concerns, please contact us: