Security & Data Protection

Your data is in safe hands. Protime acts as a data processor and processes your data exclusively in the EU.

Three Security Tiers — You Choose

Standard confidentiality, elevated compliance, or structural separation into your own cloud — the security setup applies company-wide and can be upgraded later. 1-pager overview of all three tiers. In daily pilot use at Loeb AG (Swiss family business) since early March 2026.

Download tier overview (PDF)Book a 15-min discovery call →

Your Questions, Answered

Are my emails safe?

Protime accesses your emails via OAuth — we never know your password, and you can revoke access at any time. For standard briefings, processed emails are automatically deleted after a maximum of 3 months. For Inbox Briefings, emails are only read and analyzed — no email content is stored. Your inbox always remains untouched.

Can the Protime team read my emails?

No. Your email content is processed automatically by AI — no human ever reads it. Access to customer data is restricted to authorized personnel and occurs exclusively for troubleshooting or upon your support request. We cannot and do not browse your inbox.

Can Protime be hacked?

We don't run our own servers. Everything runs on Google Cloud — the same infrastructure that protects Gmail and Google Workspace. Our application is Google CASA Tier 2 verified — the strictest security assessment Google requires for apps with email access. Continuous monitoring through Google Security Command Center.

Can my business secrets be lost?

Your data is never used for AI training. No Protime employee reads your content. Everything is encrypted (AES-256), everything stays in the EU (Frankfurt). AI processing runs under Google's Cloud contract — Google may not share your data.

Our Commitments

✓Your data never trains AI models — not now, not ever.

✓Your data is never sold or shared with third parties.

✓You control access — revoke it any time through your email provider.

✓All data stays in the EU — Google Cloud Frankfurt, no exceptions.

GDPR & revDSG Compliant

Google CASA Tier 2 Verified

EU Data Hosting

No Human Reads Your Emails

No AI Training on Your Data

Data Protection

Protime acts as a Data Processor in accordance with Art. 28 GDPR and Art. 9 of the Swiss Data Protection Act (revDSG). We process personal data exclusively on behalf of and under the instructions of our customers.

For business customers, we provide a Data Processing Agreement (DPA) upon request — available in a Swiss version (revDSG) and an EU/German version (GDPR). We maintain a current list of all sub-processors, available upon request.

The competent supervisory authority in Switzerland is the FDPIC (Federal Data Protection and Information Commissioner). For users in the EU/EEA, the respective national data protection authority is the point of contact.

Data Hosting & Infrastructure

All data is hosted on the Google Cloud Platform in the Google data center in Frankfurt, Germany. We use Firebase Authentication, Cloud Firestore, and Cloud Functions. No data is stored outside the EU.

Encryption

✓In transit: All connections are encrypted with TLS/SSL.
✓At rest: Google Cloud default encryption (AES-256) for all stored data.
✓Authentication: OAuth 2.0 for Gmail and Outlook access. No passwords are stored.

AI Processing

We exclusively use Google Gemini for briefing generation. Processing takes place under the Google Cloud Data Processing Agreement (DPA) in the Google data center in Frankfurt, Germany. Google does not use your data to train general AI models (per Google Cloud Terms of Service).

Email & Calendar Access

✓We use OAuth 2.0 for secure access to your email and calendar. Access can be revoked at any time through your email provider's account settings.
✓Processed emails are automatically deleted after a maximum of 3 months. The generated summaries are retained.
✓Protime complies with the Google Limited Use Policy and the Google API Services User Data Policy.

Infrastructure Security & Monitoring

✓Google Security Command Center for continuous threat detection, intrusion monitoring, and misconfiguration alerts.
✓Cloud Monitoring with uptime checks, performance metrics, and automated error reporting for all services.
✓Structured logging across all Cloud Functions with severity levels, enabling real-time anomaly detection.
✓Cloud Armor Web Application Firewall protecting against OWASP Top 10 attacks.
✓GitHub branch protection and code review requirements for all production changes.
✓Automated vulnerability scanning for all container images and dependencies.

Organizational Security

✓Access to customer data is restricted to authorized personnel and occurs exclusively for troubleshooting or upon support request.
✓Multi-factor authentication (MFA) enforced on all critical systems: cloud infrastructure, code repositories, payment processing, and email delivery.
✓Password management follows NIST SP 800-63B guidelines: unique generated passwords per service, no scheduled rotation, change only on compromise.
✓Full-disk encryption (AES-256) on all company devices. No unencrypted access to customer data possible.
✓We maintain an incident response process with a 72-hour notification deadline in accordance with GDPR requirements.
✓Regular security assessments, including Google CASA Tier 2 (Cloud Application Security Assessment, verified until Feb 2027).
✓All system logs are retained for 365 days to ensure full traceability and compliance auditability.
✓Data Protection Contact: Marc Loeb, data@protime.ai

Compliance & Standards

Protime implements appropriate technical and organizational measures aligned with current European security standards. Our security controls are designed to support your NIS2 supply chain compliance requirements.

Standard / Framework	Status	Details
GDPR & revDSG	Certified	GDPR & revDSG — Full compliance with EU and Swiss data protection regulations, including Data Processing Agreements (DPA/AVV), documented technical and organizational measures (TOMs), and sub-processor transparency.
Google CASA Tier 2	Certified	Google CASA Tier 2 — Independent security assessment by an App Defence Alliance authorized lab, verifying application security across 13 OWASP ASVS categories. Certified until February 2027.
ISO 27001:2022	In progress	ISO 27001:2022 — Full ISMS implemented: Statement of Applicability v1.3, 12 consolidated policies covering all applicable Annex A controls, Risk Register, Records of Processing Activities, Business Continuity Plan. Certification audit with SGS Switzerland initiated April 2026.
SOC 2 Type I	Planned	SOC 2 — Controls SOC 2-ready. Type I engagement scheduled with TAC Security (completion ~30 days once initiated).
NIS2 supply chain	Aligned — certification pending	NIS2 Supply Chain — Our security measures are designed to help regulated organizations meet their NIS2 supply chain due diligence obligations (Art. 21(2)(d)).

Sub-Processors

A current overview of the services used to provide Protime:

Sub-Processor	Purpose	Data Location	Certifications	Transfer Safeguard
Google Cloud Platform	Firestore, Cloud Functions, Firebase Auth	europe-west3 (Frankfurt)	ISO 27001, SOC 2 Type II, ISO 27701	Swiss-US DPF
Google Vertex AI (Gemini)	AI inference (briefings, inbox classification, drafts)	EU region	ISO 27001, SOC 2 Type II	Swiss-US DPF
Microsoft Graph	Outlook OAuth (Mail.Read)	EU / US	ISO 27001, SOC 2 Type II	Swiss-US DPF
Stripe	Payment processing	US / EU	PCI DSS Level 1, SOC 2 Type II, ISO 27001	Swiss-US DPF
SendGrid (Twilio)	Transactional email delivery	US	ISO 27001, SOC 2 Type II	Swiss-US DPF
GitHub (Microsoft)	Source code hosting (no customer data)	US	ISO 27001, SOC 2 Type II	Swiss-US DPF

Responsible Disclosure

Security researchers and customers can report vulnerabilities via our coordinated disclosure channel.

We acknowledge reports within 3 business days and commit to a 90-day disclosure window for fixes.

Report to:security@protime.ai

RFC 9116 security.txt →

Contact

For security inquiries, data protection questions, or to report vulnerabilities, contact us at:

data@protime.ai