--- title: "Security - Preuve AI" slug: security description: "How Preuve AI protects your startup idea. Enterprise-grade encryption, SOC 2 infrastructure, and full data control." canonical: https://preuve.ai/security date_published: 2026-02-02 date_modified: 2026-04-26 last_updated: April 26, 2026 --- # Security at Preuve AI > **TL;DR:** Preuve AI protects your startup idea with passwordless magic-link authentication, TLS 1.3 in transit, AES-256 at rest, Supabase Postgres (SOC 2 Type II, EU eu-west-1) with row-level security, Vercel hosting (SOC 2 Type II), Stripe payments (PCI DSS Level 1), enterprise AI APIs from Google, Anthropic, and OpenAI that do not train on your data, GDPR Article 33 breach notification within 72 hours, and a delete-anytime endpoint that purges your data on request, with zero humans reviewing submissions. Last updated: April 26, 2026. ## The short version Your idea is encrypted, isolated, and processed only by AI. No humans review submissions. Preuve AI is a validation tool, not a competitor. You can delete your data anytime. ## Trust badges - **Passwordless**: Magic-link / OTP only. No passwords to leak. - **Encrypted**: TLS 1.3 in transit, AES-256 at rest. - **SOC 2 Infrastructure**: Supabase + Vercel, both SOC 2 Type II. - **You control your data**: Delete anytime from your account. ## Infrastructure security - **Authentication**: Supabase Auth (SOC 2 Type II) with passwordless magic-link and OTP sign-in only. Preuve AI never sets, stores, hashes, or transmits passwords because it never collects them. Session tokens are JWTs validated server-side on every authenticated API request. - **Database**: Supabase Postgres (SOC 2 Type II) hosted in the EU (eu-west-1, Ireland). Row-level security ensures users can only access their own data, enforced at the database level. - **Hosting**: Vercel (SOC 2 Type II). Edge network with automatic HTTPS, DDoS protection, and a CORS allowlist hardcoded to production domains. - **Payments**: Stripe (PCI DSS Level 1) for new purchases. Legacy DodoPayments and Paddle subscriptions remain on their original processor. Preuve AI never sees or stores card details. - **AI providers**: Your idea is processed through enterprise APIs from Google (Gemini), Anthropic (Claude), and OpenAI (GPT). These providers do not use your data to train their models under their enterprise API terms. Requests may be routed through ZenMux and OpenRouter, LLM gateways with their own data handling policies. - **Abuse defenses**: Server-side rate limiting on every public endpoint, with stricter limits on authentication endpoints. IP-based abuse detection auto-blocks after repeated alerts and is IPv6-aware to prevent rotation evasion. Disposable-email signups are blocked at the source. - **Input and output**: Prompt-injection detection and input sanitization run on every report submission. Server-side paywall enforcement strips locked sections from API responses; locked content never leaves the server. An audit log wraps every API handler. ## Who sees your idea Zero humans. Your idea never crosses a human inbox, dashboard, or screen. AI processes it, generates your report, and that is it. Your idea is: - Never shared with other users or sold to anyone - Processed by AI providers (Google, Anthropic, OpenAI) strictly to generate your report. These providers do not train on your data under their enterprise API terms - May be routed through ZenMux and OpenRouter, LLM gateways with their own data handling policies - Stored encrypted in your private account - Aggregate statistics (score distributions, risk rates) may appear in public research reports. Never individual ideas, names, or identifying details ## Data encryption - **In transit**: All data encrypted with TLS 1.3 (256-bit) - **At rest**: Database encrypted with AES-256 - **Isolation**: Row-level security. Your data is logically separated from other users - **No plaintext secrets**: Sensitive data is never stored unencrypted ## Your control You own your data. You can: - **View**: Access all your reports in your account - **Delete**: Remove individual reports or your entire account - **Export**: Download your analysis data When you delete data, it is permanently removed from the systems. ## Common questions ### Will you steal my idea? No. Preuve AI has analyzed 4,000+ ideas this month alone, from weekend projects to VC-backed startups. If the team stole ideas, they would have been exposed by now. Preuve AI is a validation tool, not a venture studio. From Vincent, founder: your idea is private. A solo founder who can barely keep up with his own product does not have time to steal yours. ### Can your employees see my idea? No. Your idea is processed entirely by AI. Preuve AI has no employees reviewing submissions. Access to production data requires multi-factor authentication and is logged for security audits. ### Is my idea used to train AI? The AI providers (Google, Anthropic, OpenAI) operate under enterprise API terms that prohibit using your data for model training. Requests may be routed through ZenMux and OpenRouter, LLM gateways with their own data handling policies. ### What if there is a data breach? Supabase and Vercel both run formal incident response programs. Per GDPR Article 33, affected users are notified within 72 hours of confirming a breach that affects their data. The delete-account endpoint immediately purges your data from Postgres and the auth tables on request, and refund-related data revocation is handled the same way. ### Why no password? Passwords are the most-attacked surface in any web app. By using one-time codes and magic links instead, Preuve AI removes credential stuffing, password-reuse exposure, brute force, and password-leak risk in one move. You sign in by clicking a link sent to your verified email. That is the entire mechanism. ## Responsible disclosure Found a vulnerability? Email security@preuve.ai. - Preuve AI responds within 24 hours on weekdays. - Please do not publicly disclose the issue until the team has had a reasonable chance to fix it. - Avoid actions that would degrade service for other users (no DoS, no scraping, no testing on accounts that are not yours). - No bounty program yet, but Preuve AI publicly credits responsible reporters once a fix is shipped, if you want the credit. ## Contact - Security reports: security@preuve.ai - General questions: hello@preuve.ai ## Canonical - HTML: https://preuve.ai/security - Markdown: https://preuve.ai/security.md - Date published: 2026-02-02 - Date modified: 2026-04-26