ProyectaSecurity

Security

Last Updated: May 21, 2026

Proyecta is a platform where your source code, prompts, and project data flow through AI systems and isolated execution environments. Protecting that data is foundational to how we build the Services. This page summarizes our security practices in plain language; it supplements our Privacy Policy, Terms of Service, and the Subprocessors list.

For security questions, enterprise security reviews, or to report a vulnerability, contact security@proyecta.dev.

1. Infrastructure and Hosting

The Services run on Google Cloud Platform, a Kubernetes-native infrastructure operated in established cloud regions. A Google-managed Layer-7 load balancer with Google Cloud Armor sits in front of our public endpoints, providing DDoS protection, web application firewalling, and rate limiting; static assets are served via Google Cloud CDN. Cloudflare provides authoritative DNS and TLS-certificate validation, and edge delivery for user-published apps (*.proyecta.live).

We do not operate our own data centers. Our cloud providers maintain their own independent infrastructure security certifications, and a current list of the providers that process data on our behalf is published on our Subprocessors page.

2. Encryption

  • In transit: All traffic between you and the Services is encrypted using TLS 1.2 or higher.
  • At rest: Customer Content, account data, and backups are encrypted at rest.
  • Secrets: Credentials and integration tokens are stored encrypted and are never exposed in client-side code or logs.

3. Access Controls

  • Role-based access control. Access to production systems and customer data is restricted to authorized Proyecta personnel on a least-privilege basis.
  • Audit logging. Administrative and data-access actions are logged for accountability.
  • Scoped credentials. Service and integration credentials are scoped to the minimum permissions required for their function.
  • Confidentiality obligations. Personnel with access to Content are bound by confidentiality obligations and receive security training.

As described in our Privacy Policy, authorized personnel access Content only as necessary to provide support, debug issues, maintain reliability, or comply with legal obligations.

4. Your Code and AI Data Handling

This is the question most customers care about, so we state it plainly:

  • We do not train AI models on your Content. We do not use your code, prompts, or data to train or fine-tune our AI models, and we do not send your Content to AI providers for the purpose of training their models.
  • Content is processed to serve you, not to be mined. Your Content is processed solely to deliver responses within your own sessions.
  • Third-party AI providers process inputs transiently. To generate responses, inputs are sent to AI model providers (Anthropic and Google) over their APIs. We use API tiers that, under those providers' current API terms, are not used to train their models on customer inputs. We do not control these providers, and their data handling is governed by their own terms, which you should review independently (see Terms §10.2).
  • Aggregated analytics only. Any analytics we derive to improve the Services use aggregated, de-identified data that cannot be used to identify you or reconstruct your Content.

5. Runtime Isolation

Code generated and executed by the Services runs inside isolated runtime environments — dedicated, sandboxed Kubernetes pods provisioned per workload. Runtimes are isolated from one another and are torn down on their lifecycle schedule, limiting the blast radius of any single execution.

6. Vulnerability Management

  • We perform periodic vulnerability assessments and security testing of the Services.
  • We monitor our software dependencies for known vulnerabilities and apply updates on a risk-prioritized basis.
  • Responsible disclosure. If you believe you have found a security vulnerability, please report it to security@proyecta.dev. We will acknowledge your report, investigate promptly, and keep you informed. Please give us a reasonable opportunity to remediate before any public disclosure.

7. Data Retention and Deletion

We retain information only as long as necessary to provide the Services and meet legal obligations. Conversation history, including prompts and generated outputs, is retained until you delete it or terminate your account. On account termination you have a 30-day window to export your data, after which it is deleted in accordance with our retention schedule. Full details are in Privacy Policy §4.

8. Incident Response

We maintain an incident response process for security events. In the event of a breach involving your personal data, we will notify affected customers within 72 hours of discovery where feasible, or sooner where required by applicable law, including the nature of the incident, the data affected, and recommended actions.

9. Subprocessors

We use a vetted set of third-party service providers to operate the Services. Each is contractually obligated to protect the data it processes on our behalf. The complete, current list — including each provider's purpose, the data it processes, and its location — is published on our Subprocessors page, which describes how we provide notice of changes.

10. Compliance and Security Reviews

  • Data Processing Agreement. Customers who act as a data controller may request a DPA that supplements our Privacy Policy with additional data protection commitments. Contact legal@proyecta.dev.
  • Security questionnaires. We are happy to complete vendor security questionnaires and support enterprise security reviews — contact security@proyecta.dev.
  • Subprocessor transparency. Our subprocessor list is public and kept current.

As Proyecta grows, we continue to expand our formal security and compliance program. For the current status of any specific certification or attestation, please reach out and we will share where we are.

11. Contact

Related Documents

Questions?

Contact Legal

Reach us at legal@proyecta.dev for any inquiries.