Security Policy
Our approach to security
Prosable Outcomes is an AI-enabled business process operations firm that designs, builds, and operates intelligent workflows on behalf of enterprise clients. That work involves handling sensitive operating data, and security is built into how we operate — from access controls and vendor selection through data handling and incident response.
Our security practices are informed by widely recognized security frameworks such as ISO 27001 and SOC 2. We welcome conversations about our security posture with prospective clients under NDA.
Infrastructure and encryption
We do not operate on-premises infrastructure. We deliver services primarily through third-party cloud platforms and software services, some of which maintain SOC 2 and ISO 27001 certifications for their environments. We configure the platforms and services we use according to security best practices, including least-privilege access, logging, and environment separation where applicable.
All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or the equivalent provided by the platform. Encryption keys are managed by the underlying platforms and services in accordance with their security practices and are not exposed in system logs or outputs accessible to Prosable Outcomes.
Access controls
We apply the principle of least privilege: people and systems have access only to the data and resources necessary for their assigned role. All administrative access to systems containing client data requires multi-factor authentication. Credentials are managed through encrypted secret management tools, and we avoid the use of shared credentials, managing access as individually as the relevant platforms permit.
Access is provisioned for the specific client engagement and revoked upon completion or departure. Access to client data is logged through the relevant platforms and services where such logging is available.
Data handling in client engagements
Client data is processed only for the purposes defined in the service agreement. Data from one client is never commingled with or used to benefit another client. Our Client Data Policy details our commitments on data ownership, use restrictions, AI model data handling, and retention.
Vendors that process client data are evaluated before use based on factors such as security posture, data handling commitments, and incident response capabilities. We require data processing agreements from sub-processors and maintain an internal record of approved vendors. Relevant sub-processor information may be shared with clients as appropriate to the engagement or under applicable agreement terms.
Where AI vendors are used in service delivery, we select vendors whose contractual terms prohibit use of customer data for model training unless the client explicitly approves a different arrangement.
Incident response
If a confirmed incident affects client data, we will notify the affected client promptly — within the timeframe specified in the service agreement, and no later than required by applicable law. Notification will include a description of what occurred, what data was affected, what steps we have taken, and what actions the client should consider.
After containment, we conduct a post-incident review to identify the root cause and implement controls to prevent recurrence. Review findings are shared with affected clients upon request.
Personnel practices
All individuals with access to client data or systems used to deliver client services receive security training covering data handling, phishing recognition, safe use of AI tools, and incident reporting. Background screening is conducted as appropriate to the level of system and data access.
Continuous improvement
We review this policy and our security practices at least annually, and more frequently when business changes, new threats, or client requirements warrant it.
Changes to this policy
We may update this policy as our practices, services, or threat landscape evolve. The “Last updated” date above reflects the most recent revision.
Contact
- Security questions, vulnerability reports, or incident notifications: legal@prosable.com
- Response time: We will respond to verified privacy rights requests within the time required by applicable law. General inquiries are typically answered within 5 business days.
If we cannot resolve your concern, you have the right to lodge a complaint with your local regulatory authority — including the California Attorney General, the California Privacy Protection Agency, your state’s Attorney General, or (for EU residents) your local data protection authority
This policy describes general operational practices and is provided for informational purposes. It does not create contractual obligations or modify any agreement between Prosable Outcomes and its clients.
