Security at prospiq

Every account, search, and enrichment result you create on prospiq is stored in a single PostgreSQL database hosted on Supabase, which runs on Amazon Web Services in the Singapore region (ap-southeast-1). We chose Singapore because it offers strong privacy protections, fast routing for customers across Asia and Europe, and is a region recognised by the EU as offering an adequate level of data protection.

The web application itself — the pages you see at prospiq.net — runs on Vercel's global edge network. Static content like our landing page is served from the edge node closest to you, which is why the site loads quickly anywhere in the world. But your actual data — the searches you run, the contacts you save, the credits you have remaining — never leaves Singapore.

Every connection to prospiq.net is encrypted using TLS 1.3 — the most recent version of the Transport Layer Security protocol. This is the same technology your browser uses when you log into your bank. It means no one between your device and our servers can read what you're sending or receiving, even if they intercept the traffic. You can verify this yourself: the padlock icon in your browser's address bar confirms the connection is encrypted.

Once your data reaches our database, it is encrypted at rest using AES-256, the encryption standard adopted by the US government for classified information. This means that even if someone gained physical access to the underlying storage (which is itself protected by AWS's physical security controls), they would not be able to read the data without the decryption keys.

Database backups happen automatically every day and are retained for seven days. Backups are encrypted using the same AES-256 standard.

prospiq does not have password-based login. We don't collect, store, or transmit passwords for our service — which means a password leak from prospiq is impossible, because there are no passwords to leak.

Instead, you sign in one of three ways: by clicking a one-time link we email to you (a magic link), by signing in with your Google account, or by signing in with your Microsoft account. When you use Google or Microsoft, you authenticate directly with them — we receive only a confirmation that you are who you say you are, plus your email address and name. We never see your Google or Microsoft password.

Magic links expire after a short window and can only be used once. Active sessions are short-lived and refresh on use — if you stop using prospiq for a long time, your session expires automatically and you'll need to sign in again.

Most data leaks at SaaS companies happen because of application-level bugs. A developer writes a query that forgets to filter by user, and suddenly one customer can see another customer's data. We've designed prospiq to make this category of bug impossible at the database level — not the application level.

Every table in our database that holds customer data is protected by Row-Level Security (RLS), a PostgreSQL feature that enforces access rules inside the database itself. For each table, we've defined a policy that says: a user can only ever read or modify rows that belong to them. These policies run on every single query, automatically, before the database returns any data.

In practical terms: even if a developer writing application code somewhere makes a mistake and queries for “all rows” instead of “my rows,” the database itself filters out anything that doesn't belong to the requesting user. The bug becomes a non-event instead of a breach.

Our internal admin dashboard — used by us to provide support, troubleshoot issues, and run the business — uses a separate, audited credential. We only use it when responding to a specific customer issue or operating the product, never to browse data casually.

We've thought about every stage of your data's journey through prospiq, from the first byte we collect to the moment it's gone. Here's what happens at each stage.

What we collect

When you sign up, we collect your email address and (optionally) your name — the minimum we need to give you an account and address you in emails. When you use the product, we record what you searched for, the results we returned, and how many credits the search used. We also keep standard web request logs (your IP address, browser, the page you visited) for thirty days, so we can investigate abuse or technical problems.

How we use it

Your data is used to deliver the product to you: returning enrichment results, billing credits accurately, showing you your search history, keeping you signed in. We use aggregated and anonymised search data to improve our verification accuracy over time — meaning, we look at patterns across all searches to learn that, say, a particular email pattern bounces 40% of the time, so we should weight it lower. We do not use your data to train external AI models or sell to third parties.

When you delete your account

You can delete your prospiq account at any time from your account settings. To prevent accidental deletion, we ask you to type the word “DELETE” into a confirmation box. Once you confirm, your data is removed from our database immediately — not in 30 days, not in 90 days, immediately.

Specifically: the moment you confirm deletion, our backend removes your user record. PostgreSQL's foreign-key cascade rules then automatically delete every row across the database that referred to you — your searches, your saved lists, your team membership, your API keys, everything. Your authentication identity is also removed. We send you a final farewell email confirming deletion, and that's the last contact we'll ever have with you.

The one exception: if you authored any public blog content (extremely rare — only a handful of internal users have publishing rights), the content stays up but the author is anonymised. This protects readers from broken links to public posts.

We do retain one tiny piece of information after you delete: a one-way cryptographic hash of your email address, plus your remaining credit count. This is stored in a separate table and is used solely to prevent someone from creating, deleting, and re-creating accounts to abuse our free credit allocation. The hash cannot be reversed to recover your email address. Nothing else about you persists.

We take responsible disclosure seriously. If you're a security researcher and you've found a vulnerability in prospiq — anything from a way to access another user's data, to a flaw in our login flow, to a way to bypass our credit accounting — we want to hear from you first, before it becomes a problem for our customers.

Email security@prospiq.net with details of what you found, how to reproduce it, and any context that helps us understand the impact. We'll acknowledge your report within five business days and keep you updated on our investigation and fix.

We don't pursue legal action against good-faith researchers. We don't currently offer a paid bug bounty — we're a small team with limited runway — but we'll publicly credit you (with your permission) once the issue is fixed, and we'd like to start a paid programme as soon as we can.

We'd rather not have to use this section. But if a security incident affects your data — whether through our mistake, a vendor's mistake, or a malicious actor — we believe you have a right to know what happened, what was affected, and what we're doing about it.

If we confirm an incident that affects your account, we'll notify you by email within 72 hours of confirming it. The notification will be specific: what happened, what data was involved, what we've done in response, and what (if anything) you should do. We'll continue to update you as we learn more.

72 hours is the same notification window required by the GDPR for personal-data breaches. We've made it our standard regardless of whether GDPR formally applies in your case.

prospiq is built to comply with the European Union's General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act (DPDP). Both frameworks rest on similar principles: collect only what you need, use it only for the purpose you stated, give people the right to see and delete their data, and protect it appropriately while you have it.

Practically, that means: we don't collect data we don't need. We tell you upfront what we're collecting and why. We give you the ability to download all your data at any time, and to delete it immediately. We don't sell data to third parties. We don't use your contact searches to build a marketing list to spam other people. We respond to data-subject access and deletion requests within the statutory windows.

For B2B customers who need a Data Processing Agreement (DPA) signed between your company and ours, our standard DPA is available at prospiq.net/dpa.

If you want the full legal detail on what we collect, why, who we share it with, and how to exercise your rights, our Privacy Policy is the authoritative source.