How we handle candidate and customer data

During an active assessment, Promptster captures process telemetry from the candidate's AI coding agent: the prompts they send, the model's responses, tool calls, file edits, terminal commands, and timing.

Capture is proxy-primary: the agent's API traffic routes through our proxy, supplemented by the agent's native hooks. It works across Claude Code, Codex, and Cursor. We capture this only during the assessment session, and only from the agent, not the candidate's wider machine.

No. There are no desktop screenshots, no watching of other applications, and no keylogger. We capture the AI agent's activity inside the assessment: API traffic through the proxy plus events from the agent's hooks. Nothing outside the active assessment session is collected.

No. We don't use customer or candidate data to train models, and we don't sell data. Assessment telemetry is used only to produce the hiring signal for the customer who ran the assessment.

Where we use a large language model to analyze telemetry, we use Anthropic's API, whose commercial terms do not use API inputs or outputs to train their models.

No. Candidates are told before they start exactly what is captured, and they consent to it. Capture is scoped to the assessment session and the AI agent only; we do not monitor the rest of their machine.

The point is to credit candidates for how they actually work with AI tools, not to surveil them. The same replay a reviewer sees is the candidate's own work, attributed honestly.

Yes. Candidates can request access, correction, or deletion by emailing privacy@promptster.ai. We honor data-subject rights under GDPR and CCPA, and customers can also trigger deletion on a candidate's behalf.

Assessment data is hosted on AWS in the United States. Promptster Inc. is a US company. If you access Promptster from outside the US, your data may be processed in the US under appropriate safeguards, including the EU Standard Contractual Clauses and UK Addendum. If you have specific EU data-residency requirements, contact us; we'll work through them as part of your DPA.

Yes. Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 via AWS KMS. Direct identifiers receive an additional application-layer encryption pass. The full set of technical and organizational measures is listed in our DPA.

Retention is set by the hiring team: 30 days by default, up to a maximum of 180 days. Customers can request earlier deletion at any time.

Account data is retained for the life of the subscription plus up to 90 days for administrative wind-down. Billing records are kept as long as tax and financial regulations require. Aggregated, anonymized data that cannot identify an individual may be kept longer.

Access is role-based and limited to the minimum personnel needed to operate and support the platform. Production access requires multi-factor authentication, is logged, and is reviewed regularly. The customer who ran an assessment can see its results; other customers cannot.

Authentication is handled by Clerk. We do not store passwords ourselves. Multi-factor authentication is available, and dashboard access is scoped to your organization.

API keys you provide are stored encrypted, scoped to your organization, and used only to route your assessment traffic through the proxy. They are never exposed to candidates or to other customers, and you can rotate or revoke them at any time.

Not yet. We are an early-stage company and are pursuing formal certification (SOC 2 Type II) as we grow.

In the meantime we operate the security controls described in our DPA (encryption, role-based access, audit logging, and breach notification) and we are happy to walk your security team through our posture and answer a questionnaire.

Yes. Our standard Data Processing Agreement covers GDPR, UK GDPR, and CCPA/CPRA. It incorporates the EU Standard Contractual Clauses and the UK Addendum for international transfers, and commits us to breach notification within 72 hours.

We are built to support both. We process candidate and customer data under defined legal bases, honor data-subject rights (access, correction, deletion, portability, objection), and use Standard Contractual Clauses for EU/UK transfers. The specifics are documented in our Privacy Policy and DPA.

We publish a current list of sub-processors (our infrastructure, authentication, email, analytics, and LLM providers) and what each one processes. Per our DPA, we notify customers before adding or replacing a sub-processor, and you may object.

Our DPA commits us to notifying affected customers without undue delay and within 72 hours of becoming aware of a breach, including what happened, the likely impact, and the steps we are taking. We maintain an incident response process for containment, eradication, and remediation.

Yes. Email security@promptster.ai and we'll share what your team needs: our DPA, the sub-processor list, and answers to your security questionnaire.