Platform Security & Compliance

By default, PromethistAI supports federated authentication through trusted identity providers such as Google and Microsoft. This eliminates the need for password management and reduces risks associated with weak or reused credentials.

For organizations with more advanced requirements, PromethistAI offers Single Sign-On (SSO) through integration with enterprise identity providers. SSO is powered by Keycloak and supports a wide range of federation standards including SAML 2.0, OpenID Connect, and OAuth 2.0. With SSO enabled, employees, partners, or customers can access the PromethistAI platform and assigned relational agents using the same credentials they use internally, simplifying access and strengthening compliance with enterprise security policies.

SSO is available as part of the Enterprise Tier license, and configuration can be customized per organization in coordination with our technical team.

Authorization within the platform is governed by role-based access control (RBAC). Roles define the scope of actions available to each user and are consistently applied across accounts and projects. By default, the following roles exist at the account level:

Within projects, these same roles cascade, ensuring consistent governance across the entire hierarchy. This uniformity reduces complexity while maintaining clear boundaries of responsibility.

PromethistAI maintains baseline operational logs for authentication events, role assignments, and administrative actions. These logs are used internally to support security monitoring and incident response.

For enterprise customers requiring deeper visibility, enhanced audit logging is available on demand. In this mode, detailed records of authentication attempts, role changes, and privileged actions can be exposed to account Owners for compliance and governance purposes.

On the client side, PromethistAI applications for iOS and Android respect the same IAM model. Agents that require authentication enforce identity checks before interaction begins. When SSO is enabled, entitlements flow directly from the enterprise identity provider into the client applications, ensuring that only authorized users can access designated agents.

This design allows organizations to securely distribute agents to employees, partners, or selected customer groups, while maintaining centralized control over who can see and interact with each digital agent.

Data protection is embedded into every layer of the platform. All communications are encrypted in transit using TLS 1.2+ and all databases and object storage are encrypted at rest using AES-256. Keys are centrally managed in Azure Key Vault, with strict rotation policies and access logging.

No PromethistAI personnel have routine access to customer conversational content. Limited access is technically possible only for a small, highly secured subset of our operations and DevOps team, and only in exceptional cases such as resolving a customer support request or fulfilling a compliance obligation. Such access is time-bound, governed by least-privilege policies, and fully logged.

Customers do not interact with raw infrastructure data directly. Instead, they may access relevant information through dedicated APIs (for example, APIs exposing memory or account-level resources) or request access through formal support channels. This approach protects the integrity of operational systems while giving customers the transparency they need for governance and compliance – and this feature is available upon request as a part of our Enterprise Tier.

PromethistAI maintains a robust security operations program that includes continuous vulnerability scanning, automated patch management, and 24/7 monitoring across all critical systems. Automated alerting is backed by documented incident response playbooks.

The platform is protected against denial-of-service attacks through Azure Front Door, while regional redundancy ensures that services remain resilient even in the event of localized infrastructure failures.

PromethistAI is designed for resilience and continuity. Each regional deployment includes redundancy across availability zones, as well as daily encrypted backups. Restoration procedures are regularly tested to validate data integrity and recovery reliability.

The platform’s Recovery Point Objective (RPO) is 24 hours, while the Recovery Time Objective (RTO) for critical services is under four hours. These measures ensure that customer data and services remain available even under adverse conditions.

PromethistAI enables organizations to build and operate relational agents. With that capability comes responsibility for how data is processed and how agents behave. This policy covers data handled within PromethistAI accounts, including platform administration, the Relational Intelligence Engine, and distribution via the PromethistAI iOS/Android clients.

Where this policy references security mechanisms (encryption, monitoring, incident response), the authoritative details live in Security & Compliance.

For Customer Content (e.g., knowledge bases, agent configuration, Memories), the customer is the controller and PromethistAI acts as the processor. For platform operations data (e.g., account admin details, billing, core service telemetry), PromethistAI acts as an independent controller to operate and secure the service.

A Data Processing Addendum (DPA) and the current list of sub-processors are available upon request.

Customer Content (processor role)

Content you upload or configure (documents, knowledge bases, multimodal assets, MCP metadata), agent configuration (identity, guardrails, processes), and any persisted artifacts produced by the platform (e.g., Memories) or created via your calls to dedicated APIs.

Account & Operational Data (controller role)

Account details (organization, emails, roles), billing/usage data, and minimal service telemetry required to operate, secure, and improve reliability of the platform and mobile clients.

At onboarding, each account is bound to a hosting region (currently EU or North America). Customer Content is processed and stored exclusively within the selected region. This region binding applies to the administration platform, the Relational Intelligence Engine, and distribution via PromethistAI clients.

Cross-region migration occurs only upon explicit customer request and under a controlled migration plan.

We do not sell Customer Content or use it to train unrelated third-party models.

PromethistAI retains conversational interactions and associated artifacts by default. This ensures that relational agents can maintain continuity across sessions, support compliance and audit requirements, and provide customers with the ability to review historical data where needed.

All stored content is:

Customers may request data exports or deletions through formal support channels. When such requests are processed:

Unless otherwise agreed in writing, retention follows PromethistAI’s default platform policy. This model ensures data availability for operational continuity and compliance, while giving customers governance rights over export and deletion on demand.

PromethistAI personnel do not have routine access to Customer Content. Access is technically possible only for a highly secured subset of our Operations and DevOps team, and only under specific circumstances such as incident response, compliance requirements, or when a customer explicitly requests support. All such access is time-bound, requires prior approval, follows least-privilege principles, and is fully logged.

No other PromethistAI teams have access to Customer Content by default. In cases where a customer explicitly grants access — for example, by inviting PromethistAI staff into a dedicated account or project for implementation, testing, or support purposes — access is limited to the scope defined by the customer and governed by the same security controls.

Customers do not access raw infrastructure storage or logs. You interact with your own data through available platform interfaces. Where audit information is exposed, it is provided in a structured, customer-safe form. Additional audit extracts can be provided upon request, subject to security review.

PromethistAI provides the secure, compliant foundation; customers decide how it is used.

You control:

PromethistAI controls:

Relational agents are configured and governed by the customer. PromethistAI does not pre-moderate or continuously monitor agent behavior.

You (the customer) are solely responsible for:

PromethistAI provides technical controls and may suspend or restrict access where we detect abuse or violations of platform policies, but responsibility for agent output rests with the customer.

When you are the controller, PromethistAI (as processor) will assist you in fulfilling data subject requests—access, rectification, deletion, portability, objection, and restriction—through available APIs and formal support channels. Requests sent directly to PromethistAI that relate to your Customer Content are routed to you as the controller.