Built to pass your review
Prov holds your agency's contracts, payments, and client relationships. Here is exactly how that data is protected — in plain language, with no claims we can't stand behind.
Tenant isolation at the database layer
Every row of agency data is scoped to your workspace with Postgres Row Level Security. Isolation is enforced by the database itself — not by application code or UI filtering — so a query from one workspace can never return another workspace’s deals, contracts, invoices, or intelligence records.
Role-based access control
Five roles — Owner, Admin, Account Manager, Analyst, and Client-Viewer — with permissions enforced at the API and database layers. Client-Viewers are additionally scoped to specific clients: they cannot see any other client’s data in your workspace, even by constructing requests manually.
Audit trail
Contract approvals, invoice actions, compliance verifications, and role changes are written to an append-only audit log with the actor, action, entity, and timestamp. Finance and compliance reviews get a factual record of who did what, when.
Encryption
Data is encrypted in transit (TLS) and at rest (AES-256) on our infrastructure provider, Supabase (built on AWS). Uploaded documents — executed contracts, W-9s, disclosure proofs — live in private storage buckets accessible only through short-lived signed URLs.
Authentication & provisioning
Accounts are provisioned by our team during onboarding — there is no open self-serve signup surface. Email-code login avoids password-reuse risk. SSO is available on Enterprise agreements.
Your data is yours
Deal intelligence, contracts, and performance records belong to your agency. We don’t sell your data, train models on your private records, or retain them after a contracted offboarding. Full export is available at any time.
Security questionnaire?
We answer vendor-review and data-processing questionnaires as part of every enterprise evaluation.