Security Center

Trust is the product. Here's how we earn it.

Workforce analytics fails on day one if either side — the manager or the person being measured — doesn't believe what's published. This page is everything you need for a security review, plus the full data manifest, version-controlled and signed.

Request SOC 2 report ↓ Read the data manifest

SOC

SOC 2 Type II

CERTIFIED · 2024–PRESENT

ISO

ISO 27001

CERTIFIED · 2025

GDPR

COMPLIANT

HIPAA

READY · BAA AVAILABLE

CSA

CSA STAR

LEVEL 2

01 · The data manifest

What we collect. What we don't. What we never will.

The full, version-controlled list of every signal ProdView's agent emits and every signal it refuses to emit. Reviewed annually by a third-party privacy auditor. Published as github.com/prodview/manifest with cryptographic signatures on each revision.

collect

Active & focus minutes

Per 1-minute bucket. Used for productive hours and focus-block detection.

collect

Foreground app name + category

The app currently in focus, classified into one of five categories.

collect

Top-level domain

For browsers — host only (github.com), never path, query, or content.

collect

Device health metrics

CPU, RAM, queue depth, agent version. For fleet ops.

collect

Auditable security events

USB events, off-hours logins, location flips. Type, time, device — no payload.

never

Keystrokes or keystroke timing

The agent has no keyboard hook. Verifiable in the source.

never

Screen recordings or screenshots

No screen-capture API is linked. Optional admin-side screenshot policy was removed in 0.2.0.

never

Mouse coordinates or heatmaps

We don't read cursor position. Idle is detected via input event presence only.

never

Message contents

No window content inspection. We see "Slack is focused" — nothing inside.

never

Camera or microphone

No permission is requested. The OS install never prompts for either.

never

File contents or full paths

No filesystem access. We see Word is open; we don't see what document.

02 · Data flow

How a single event travels.

Every event ProdView emits follows the same path: hashed device id → tenant-keyed encryption → regional ingestion → aggregation → dashboard. End-to-end TLS 1.3. Per-tenant keys derived at provision time and never leave the HSM.

03 · Infrastructure

Per-tenant keys. Per-region data. Per-user audit.

ProdView runs on AWS across three regions (us-east, eu-central, ap-southeast). You pick which region your tenant lives in at provisioning. No data crosses regions without your explicit configuration.

▸Encryption at rest — AES-256-GCM with per-tenant DEKs wrapped by KMS-managed CMKs.
▸Encryption in transit — TLS 1.3 only. HSTS preload. mTLS available for enterprise.
▸Audit log — Ed25519-signed, append-only, 7-year retention on Business+.
▸Penetration testing — Annual third-party pentest. Latest report on request under NDA.
▸Vulnerability disclosure — Bug bounty live on HackerOne. Hall of fame on this page.

04 · Subprocessors

Six vendors. All publicly listed.

The complete list of third parties that may process customer data on our behalf. We notify customers 30 days before any addition. The current list:

Vendor	Purpose	Location	Cert
Amazon Web Services	Cloud infrastructure	US · EU · APAC	SOC 2 · ISO 27001
Cloudflare	Edge / DDoS / CDN	Global	SOC 2
Stripe	Billing (no customer data)	US · EU	SOC 2 · PCI
Plaintext	Email delivery (transactional)	US · EU	SOC 2
PagerDuty	Internal on-call (metadata only)	US	SOC 2
Vanta	Compliance monitoring	US	SOC 2

Security disclosure

If you've found a security issue, report it to security@prodview.app. We acknowledge within 24 hours, fix high-severity issues within 7 days, and credit responsible reporters in our hall of fame.

0xA82F 1C3E B109 5DD2 9A18 4E2B 7C03 11F4 8E92 D6A7

Compliance & SOC reports

Request our SOC 2 Type II report, ISO 27001 certificate, or DPA — under mutual NDA — from trust@prodview.app. Most are returned within 4 business hours during the week.

Our trust portal at trust.prodview.app hosts the live questionnaire (CAIQ + SIG Lite).