You're running product strategy through Presume. That means we treat your data the same way you would: need-to-know access, encrypted everywhere, observable at every layer.
Encrypted
AES-256 at rest, TLS 1.2+ in transit. Keys managed by Supabase Vault.
Isolated
Row-level security ensures your data is never accessible to other tenants.
Audited
SOC 2 Type II in progress. Internal access is logged and reviewed quarterly.
Observable
Status page at status.getpresume.com. Incidents reported within 72 hours.
All data stored in Presume is encrypted at rest using AES-256. All data in transit is protected by TLS 1.2 or higher. Database encryption keys are managed through Supabase Vault with automatic rotation. Backups are encrypted on the same standard.
Your data is isolated by row-level security at the database layer, not just application-level access checks. Teammate access is managed by role (admin, editor, viewer). OAuth 2.0 is used for authentication. We strongly recommend enabling MFA on your account; all Presume team members are required to use it. Internal Presume employee access to production data requires an approved request and is logged.
We are currently pursuing SOC 2 Type II certification. Our audit period begins Q3 2026, with a target completion of Q1 2027. In the meantime, security controls are implemented to the SOC 2 Trust Services Criteria standard. Customers who need a security questionnaire completed can email us directly.
When you run an analysis, product context and persona prompts are sent to our inference providers, currently OpenRouter (which routes to underlying model providers), DeepSeek, and Anthropic. These providers process prompts to generate agent reasoning and the resulting artifacts. We send the minimum context necessary and do not include PII. Each provider operates under its own data-handling terms; we review those terms when integrating and pass changes through to this page. We do not opt your data into any provider's training programs.
An analysis works by navigating the onboarding URL you provide. To do that, we drive a third-party managed cloud browser provider, which loads that URL and performs the clicks, typing, and scrolling our personas decide on. That provider necessarily touches the web infrastructure behind the URL you submit and may capture navigation artifacts from it, including screenshots and page content, which we process to build your drop-off funnel and rewrite suggestions. It operates under its own data-handling terms, which we review when integrating, and we name it in our Data Processing Addendum on request. Point Presume only at non-production or staging environments, never at a live URL carrying real customer data.
We don't sell your data. Running an analysis requires third-party providers, the inference and browser-navigation providers named above, and we share only what those providers need to do their part; we don't share your product context or analysis outputs with anyone beyond what's needed to run the service. We don't train our own models on your data. We don't retain inference provider prompts after a session completes.
If you find a security issue, tell us before you publish it. Email security@getpresume.com with a description of the issue and reproduction steps. We'll acknowledge within 24 hours and aim to ship a fix within 72 hours for critical issues. We don't have a formal bug bounty yet, but we credit researchers who report responsibly.