— Trust Center

Security you can verify.

Bank-grade encryption. PCI-DSS-compliant payments via Stripe. SOC 2 Type II in progress. Here’s everything we do to protect your business and your clients’ data — with receipts.

Active

256-bit SSL / TLS 1.3

All traffic encrypted end-to-end via HSTS + automatic HTTPS redirect.

Verify

Stripe Level 1

PCI-DSS Compliant

Card data never touches ProChair servers. Payments handled by Stripe (PCI DSS Level 1 Service Provider).

Verify

In Progress · Q4 2026

SOC 2 Type II

Annual audit of security, availability, confidentiality controls by a Big-Four-affiliated CPA firm.

EU-aligned

GDPR Ready

Data subject access, right to erasure, data portability. DPA available for EU business customers.

Verify

California

CCPA Compliant

Do-not-sell opt-out honored. Data sale disclosure. Covered business & consumer rights.

Verify

Public policy

Vulnerability Disclosure

Responsible disclosure program. Safe harbor for good-faith security research.

Verify

— Data handling

Your data. Your control. Plain English.

Where is data stored?: All primary data lives in Supabase (PostgreSQL) on AWS us-east-1 with automatic daily backups and point-in-time recovery. Payment data never hits our infrastructure — Stripe holds it.
Who can see my data?: Only you, your authorized team members, and the specific ProChair engineers on-call for an incident you've logged. Access is role-based, logged, and reviewed quarterly.
Do you sell or share data with third parties?: No. We don't sell user data, ever. We share only with sub-processors required to run the service (Stripe, Supabase, Vercel, Twilio, OpenAI / Anthropic for AI features). Full list at prochair.app/subprocessors.
Can I export my data?: Yes. Full CSV + JSON export of your clients, services, bookings, and revenue is available in Settings → Export at any time. No lock-in.
What happens if I cancel?: Your data is retained for 90 days so you can reactivate, then permanently deleted. You can request immediate deletion in writing at privacy@prochair.app.
How do you handle breaches?: Incident response plan with 72-hour notification to affected users (GDPR standard) and our regulator-facing DPA. Post-mortems published at prochair.app/status once resolved.

— Sub-processors

Who we trust with what.

A sub-processor is a third-party service we use to run ProChair. Everyone below is contractually bound to our Data Processing Agreement.

Service	Purpose	Location
Stripe	Payment processing, payouts, KYC	United States
Supabase	Primary database + authentication	United States (AWS)
Vercel	Application hosting + edge delivery	Global (primary iad1)
Twilio / Tylynx	Transactional SMS for booking reminders	United States
Resend / Brevo	Transactional email	United States / EU
Anthropic, OpenAI	AI features (receptionist, content studio)	United States
Google Maps / Places	Location + business discovery	United States
Mapbox	Map rendering	United States

This list is the source of truth. Subscribe to the changelog for updates (we give 30 days notice on new sub-processors).

— Report a vulnerability

Found something? Tell us.

We run a responsible disclosure program with safe harbor for good-faith security research. Send details (repro steps, impact, suggested fix) to the email below. First-response SLA: 24 hours. We don’t offer cash bounties yet but we publicly credit reporters in our hall of fame.

security@prochair.app

PGP key: 0xA3F8 1E2C

— What we commit to

First response within 24 hours of report
Triage within 3 business days with severity classification
Fix critical vulnerabilities within 30 days
No legal action against good-faith researchers
Public disclosure coordinated with reporter
Credit in our security hall of fame

Questions on security?

Enterprise customers can request a security questionnaire (SIG, CAIQ), DPA, and a call with our security lead.

Contact security team Privacy Policy