ProofFill

ProofFill security

Security and data handling at ProofFill

Security questionnaires contain sensitive company evidence. ProofFill is being built around private uploads, server-side AI calls, signed downloads, deletion controls, and careful no-overclaiming language.

Coverage preview

Sample questionnaire output

XLSX-first

Data encryption at rest?

Evidence-backed91%review_ready

Incident response SLA?

Weak evidence58%needs_review

Do you support SSO?

No evidence found0%missing_evidence

Security posture for the upload flow

Private uploads

Evidence documents and questionnaires live in private storage. Public file URLs are not part of the production flow.

No model training use

The site states no training use for uploaded customer documents, and provider configuration must support that promise.

Server-side AI calls

The browser never receives AI provider keys. Processing happens in trusted server and worker services.

What ProofFill does not claim yet

  1. 01

    No fake certifications

    ProofFill should not imply SOC 2 certification or penetration test results until those controls exist.

  2. 02

    No hidden retention

    Deletion and retention policy must be visible before sensitive evidence is uploaded.

  3. 03

    No browser AI keys

    AI provider calls belong on the server side, not inside public browser code.

FAQ

Are uploaded documents public?

No. ProofFill is designed around private storage and signed downloads.

Does ProofFill train models on uploaded documents?

The intended product policy is no training use for uploaded customer documents.