Is Presume SOC 2 compliant?

Presume is pursuing SOC 2 Type II certification. The audit period begins Q3 2026 with a target completion of Q1 2027. Security controls are already implemented to the SOC 2 Trust Services Criteria standard.

Do inference providers retain my prompts?

No. Presume uses Anthropic and OpenAI for inference under zero-retention API agreements. Prompts are not stored or used for training. We send the minimum context necessary and do not include PII.

Do you train models on customer data?

No. We do not sell your data, do not share product context or simulation outputs with third parties beyond what is needed to run the service, and do not train our own models on your data.

Presume

Security

Built to hold confidential work.

You're running product strategy through Presume. That means we treat your data the same way you would — need-to-know access, encrypted everywhere, observable at every layer.

Encrypted

AES-256 at rest, TLS 1.2+ in transit. Keys managed by Supabase Vault.

Isolated

Row-level security ensures your data is never accessible to other tenants.

Audited

SOC 2 Type II in progress. Internal access is logged and reviewed quarterly.

Observable

Status page at status.getpresume.com. Incidents reported within 72 hours.

Data encryption

All data stored in Presume is encrypted at rest using AES-256. All data in transit is protected by TLS 1.2 or higher. Database encryption keys are managed through Supabase Vault with automatic rotation. Backups are encrypted on the same standard.

Access controls

Your data is isolated by row-level security at the database layer — not just application-level access checks. Teammate access is managed by role (admin, editor, viewer). OAuth 2.0 is used for authentication. We strongly recommend enabling MFA on your account; all Presume team members are required to use it. Internal Presume employee access to production data requires an approved request and is logged.

Compliance roadmap

We are currently pursuing SOC 2 Type II certification. Our audit period begins Q3 2026, with a target completion of Q1 2027. In the meantime, security controls are implemented to the SOC 2 Trust Services Criteria standard. Customers who need a security questionnaire completed can email us directly.

Inference providers

When you run a simulation, product context and persona prompts are sent to our inference providers — currently OpenRouter (which routes to underlying model providers), DeepSeek, and Anthropic. These providers process prompts to generate agent responses. We send the minimum context necessary and do not include PII. Each provider operates under its own data-handling terms; we review those terms when integrating and pass changes through to this page. We do not opt your data into any provider's training programs.

What we don't do

We don't sell your data. We don't share your product context or simulation outputs with any third parties beyond what's needed to run the service. We don't train our own models on your data. We don't retain inference provider prompts after a session completes.

Reporting a vulnerability

If you find a security issue, tell us before you publish it. Email security@getpresume.com with a description of the issue and reproduction steps. We'll acknowledge within 24 hours and aim to ship a fix within 72 hours for critical issues. We don't have a formal bug bounty yet, but we credit researchers who report responsibly.

Access controls

Inference providers

Reporting a vulnerability