Encryption at Rest
Gmail OAuth tokens and AI API keys are encrypted using AES-128 Fernet symmetric encryption before being written to the database. The encryption key is stored separately in the backend environment, not in the database.
Encryption in Transit
All communication between your browser and Prism Tree — the frontend at app.prismtree.ai and the API at api.prismtree.ai — is encrypted over HTTPS/TLS. Unencrypted HTTP connections are not accepted.
Per-User Data Isolation
Row-Level Security (RLS) is enforced at the PostgreSQL database layer. Your data is physically inaccessible to any other user's session — enforced by the database itself, not just application code.
JWT Authentication
Every authenticated API request is validated by calling Supabase's auth endpoint — tokens are never trusted client-side only. Passwords are never stored in plaintext; Supabase uses bcrypt hashing.
US-Based Data Residency
All user data is stored in PostgreSQL hosted by Supabase on AWS US-West-2 (Oregon, USA). No user data is stored outside the United States.
Rate Limiting
All API endpoints are rate-limited to 60 requests per minute per authenticated user, protecting against abuse and runaway automation.
How your data travels
Every piece of data follows a path from your browser to our database. Here's what that path looks like and where encryption applies.
Request lifecycle
HTTPS/TLS
HTTPS/TLS
Sensitive fields (Gmail tokens, API keys) are encrypted by the API before being written to the database, so even a database breach would not expose plaintext credentials.
What we don't do
Security is also about the things you choose not to do. Here's what we've ruled out entirely.
We don't store credit card numbers or payment data — if payments are added, they'll go through a PCI-compliant processor, never our own database.
We don't read or retain Gmail email content beyond extracting the job lead information you explicitly request.
We don't use your Career Brain data to train AI models. Context is passed to AI providers at call time only.
We don't log your AI API keys or store them in plaintext after they're saved.
We don't use advertising SDKs, third-party analytics trackers, or ad pixels anywhere on the platform.
We don't share your data with data brokers, recruiters, employers, or any external commercial party.
Responsible disclosure
Found a vulnerability?
If you discover a security issue in Prism Tree, we want to hear about it before it goes public. Email us at security@prismtree.ai with a description of the issue, steps to reproduce, and your contact info. We'll acknowledge within 48 hours and work to address confirmed issues promptly.
We ask that you give us reasonable time to investigate before any public disclosure. We genuinely appreciate responsible security research.
Questions?
If you have questions about our security practices that aren't answered here, email us at security@prismtree.ai. We'll respond directly — no automated replies.
For privacy-related questions, see our Privacy Policy.