Security

Built to pass your review

Prov holds your agency's contracts, payments, and client relationships. Here is exactly how that data is protected — in plain language, with no claims we can't stand behind.

Tenant isolation at the database layer

Every row of agency data is scoped to your workspace with Postgres Row Level Security. Isolation is enforced by the database itself — not by application code or UI filtering — so a query from one workspace can never return another workspace’s deals, contracts, invoices, or intelligence records.

Role-based access control

Five roles — Owner, Admin, Account Manager, Analyst, and Client-Viewer — with permissions enforced at the API and database layers. Client-Viewers are additionally scoped to specific clients: they cannot see any other client’s data in your workspace, even by constructing requests manually.

Audit trail

Contract approvals, invoice actions, compliance verifications, and role changes are written to an append-only audit log with the actor, action, entity, and timestamp. Finance and compliance reviews get a factual record of who did what, when.

Encryption

Data is encrypted in transit (TLS) and at rest (AES-256) on our infrastructure provider, Supabase (built on AWS). Uploaded documents — executed contracts, W-9s, disclosure proofs — live in private storage buckets accessible only through short-lived signed URLs.

Authentication & provisioning

Accounts are provisioned by our team during onboarding — there is no open self-serve signup surface. Email-code login avoids password-reuse risk. SSO is available on Enterprise agreements.

Your data is yours

Deal intelligence, contracts, and performance records belong to your agency. We don’t sell your data, train models on your private records, or retain them after a contracted offboarding. Full export is available at any time.

Security questionnaire?

We answer vendor-review and data-processing questionnaires as part of every enterprise evaluation.

Talk to us