Loading Header...

Security & Data Protection

Your data is in safe hands. Protime acts as a data processor and processes your data exclusively in the EU.

Your Questions, Answered

Are my emails safe?

Protime accesses your emails via OAuth — we never know your password, and you can revoke access at any time. For standard briefings, processed emails are automatically deleted after a maximum of 3 months. For Inbox Briefings, emails are only read and analyzed — no email content is stored. Your inbox always remains untouched.

Can the Protime team read my emails?

No. Your email content is processed automatically by AI — no human ever reads it. Access to customer data is restricted to authorized personnel and occurs exclusively for troubleshooting or upon your support request. We cannot and do not browse your inbox.

Can Protime be hacked?

We don't run our own servers. Everything runs on Google Cloud — the same infrastructure that protects Gmail and Google Workspace. Our application is Google CASA Tier 2 verified — the strictest security assessment Google requires for apps with email access. Continuous monitoring through Google Security Command Center.

Can my business secrets be lost?

Your data is never used for AI training. No Protime employee reads your content. Everything is encrypted (AES-256), everything stays in the EU (Frankfurt). AI processing runs under Google's Cloud contract — Google may not share your data.

Our Commitments

Your data never trains AI models — not now, not ever.
Your data is never sold or shared with third parties.
You control access — revoke it any time through your email provider.
All data stays in the EU — Google Cloud Frankfurt, no exceptions.
GDPR & revDSG Compliant
Google CASA Tier 2 Verified
EU Data Hosting
No Human Reads Your Emails
No AI Training on Your Data

Data Protection

Protime acts as a Data Processor in accordance with Art. 28 GDPR and Art. 9 of the Swiss Data Protection Act (revDSG). We process personal data exclusively on behalf of and under the instructions of our customers.

For business customers, we provide a Data Processing Agreement (DPA) upon request — available in a Swiss version (revDSG) and an EU/German version (GDPR). We maintain a current list of all sub-processors, available upon request.

The competent supervisory authority in Switzerland is the FDPIC (Federal Data Protection and Information Commissioner). For users in the EU/EEA, the respective national data protection authority is the point of contact.

Data Hosting & Infrastructure

All data is hosted on the Google Cloud Platform in the Google data center in Frankfurt, Germany. We use Firebase Authentication, Cloud Firestore, and Cloud Functions. No data is stored outside the EU.

Encryption

  • In transit: All connections are encrypted with TLS/SSL.
  • At rest: Google Cloud default encryption (AES-256) for all stored data.
  • Authentication: OAuth 2.0 for Gmail and Outlook access. No passwords are stored.

AI Processing

We exclusively use Google Gemini for briefing generation. Processing takes place under the Google Cloud Data Processing Agreement (DPA) in the Google data center in Frankfurt, Germany. Google does not use your data to train general AI models (per Google Cloud Terms of Service).

Email & Calendar Access

  • We use OAuth 2.0 for secure access to your email and calendar. Access can be revoked at any time through your email provider's account settings.
  • Processed emails are automatically deleted after a maximum of 3 months. The generated summaries are retained.
  • Protime complies with the Google Limited Use Policy and the Google API Services User Data Policy.

Infrastructure Security & Monitoring

  • Google Security Command Center for continuous threat detection, intrusion monitoring, and misconfiguration alerts.
  • Cloud Monitoring with uptime checks, performance metrics, and automated error reporting for all services.
  • Structured logging across all Cloud Functions with severity levels, enabling real-time anomaly detection.
  • Cloud Armor Web Application Firewall protecting against OWASP Top 10 attacks.
  • GitHub branch protection and code review requirements for all production changes.
  • Automated vulnerability scanning for all container images and dependencies.

Organizational Security

  • Access to customer data is restricted to authorized personnel and occurs exclusively for troubleshooting or upon support request.
  • Multi-factor authentication (MFA) enforced on all critical systems: cloud infrastructure, code repositories, payment processing, and email delivery.
  • Password management follows NIST SP 800-63B guidelines: unique generated passwords per service, no scheduled rotation, change only on compromise.
  • Full-disk encryption (AES-256) on all company devices. No unencrypted access to customer data possible.
  • We maintain an incident response process with a 72-hour notification deadline in accordance with GDPR requirements.
  • Regular security assessments, including Google CASA Tier 2 (Cloud Application Security Assessment, verified until Feb 2027).
  • All system logs are retained for 365 days to ensure full traceability and compliance auditability.
  • Data Protection Contact: Marc Loeb, data@protime.ai

Compliance & Standards

Protime implements appropriate technical and organizational measures aligned with current European security standards. Our security controls are designed to support your NIS2 supply chain compliance requirements.

  • GDPR & revDSG — Full compliance with EU and Swiss data protection regulations, including Data Processing Agreements (DPA/AVV), documented technical and organizational measures (TOMs), and sub-processor transparency.
  • Google CASA Tier 2 — Independent security assessment by an App Defence Alliance authorized lab, verifying application security across 13 OWASP ASVS categories. Certified until February 2027.
  • SOC 2 — Our infrastructure and controls are SOC 2-ready. Type I certification can be completed within 30 days upon request.
  • ISO 27001 — Security controls aligned with ISO 27001:2022 requirements. Formal certification is on our roadmap.
  • NIS2 Supply Chain — Our security measures are designed to help regulated organizations meet their NIS2 supply chain due diligence obligations (Art. 21(2)(d)).

Sub-Processors

A current overview of the services used to provide Protime:

  • Google Cloud Platform (Firestore, Cloud Functions, Firebase Auth) — Google data center Frankfurt, Germany. Google Cloud DPA.
  • Google Gemini — AI summarization, Google data center Frankfurt, Germany. Google Cloud DPA. No training on customer data.
  • Google Vertex AI — Embeddings and image generation, Google data center Frankfurt, Germany. Google Cloud DPA.
  • Microsoft Azure — Outlook OAuth 2.0, Microsoft Online Services DPA, EU-US Data Privacy Framework.
  • Stripe — Payment processing, Stripe DPA, EU-US Data Privacy Framework.
  • SendGrid (Twilio) — Email delivery, Twilio DPA, EU-US Data Privacy Framework.

Contact

For security inquiries, data protection questions, or to report vulnerabilities, contact us at:

data@protime.ai