// Trust & Security Report

    Proposify Inc. logo

    Proposify Inc.

    Proposal, quoting, contract and e-signature software for sales teams

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Proposify is SOC2 Type 2 certified to reflect our long-standing commitment to security. We have been audited against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. ... The certification effort was completed by the professional and independent third-party audit firm, 360 Advanced, Inc. We are happy to provide a report upon request.

    Verify on proposify.com
    GDPR
    HELD

    Proposify is committed to protecting our client's data and privacy. That is why we maintain our GDPR compliance and enable our customers to set their own compliance preferences as a controller. ... Our Terms of Use, Privacy Policy, and Data Processing Addendum are reflective of our GDPR commitment.

    Verify on proposify.com
    PCI-DSS (Service Provider Level 1, via Stripe)
    HELD

    Proposify uses Stripe to process payments. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most rigorous level of certification available in the industry.

    Verify on proposify.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 on the Proposify security page or any vendor-owned page reviewed.

    source: proposify.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA, BAA, or healthcare compliance on the Proposify security page or any vendor-owned page reviewed.

    source: proposify.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Northern Virginia, USA (AWS / US data residency, single multi-tenant datastore with application-level isolation)

    Proposify ships AI features (AI Proposal Generator, AI writing/automation in the editor) but publishes no explicit statement about whether customer proposal content or inputs are used to train AI models, nor which AI provider powers the features. The privacy policy states 'We may share your aggregate anonymous information with third parties in order to improve the Website and Services or for marketing purposes' and 'to generate analytics for the improvement of the Website and Services,' but there is no specific AI-training disclosure. Customer-facing AI data-use is therefore undisclosed; treat default training behavior as unverified until confirmed with the vendor.

    // Security controls

    Encryption in transit

    All data sent to or from Proposify is encrypted using 256-bit encryption (SHA-256 with RSA). API and application endpoints are TLS/SSL only; account access is HTTPS only. (Note: client previews on a custom domain may be served over HTTP.)

    proposify.com

    Password handling

    Passwords are one-way encrypted (hashed); the vendor states they cannot decrypt them.

    proposify.com

    Hosting / network isolation

    Hosted on AWS inside a Virtual Private Cloud, hardened to industry best practices, patched regularly, built with disaster recovery in mind.

    proposify.com

    Tenant isolation

    No per-customer datastore; application-level privacy controls enforce tenant separation, backed by unit and integration tests that block deploys on any single failure.

    proposify.com

    Employee access

    Hosting-provider access secured with 2FA; employees limited to environments they work with.

    proposify.com

    Backups

    Critical systems backed up nightly, stored off-site, tested and verified monthly.

    proposify.com

    Monitoring & uptime

    24/7 system monitoring; stated uptime 99.9%+; public status page at status.proposify.com.

    proposify.com

    Vulnerability reporting

    Ad-hoc disclosure to support@proposify.com only. No public bug bounty program (HackerOne / Bugcrowd) found, and no formal penetration-testing program is disclosed on vendor pages.

    proposify.com

    E-signature legal compliance

    Built-in e-signatures compliant with UETA (1999), ESIGN (2000), and eIDAS (Regulation 910/2014/EC); records signer IP and timestamp, provides audit trail, locks documents after signing.

    proposify.com

    // Products & data scope

    Proposify proposal management platformProposal / quoting / contract software (SaaS)

    data: Stores customer account data (name, business, billing address, card data), uploaded business contacts, and proposal/quote/contract content. US data residency (Northern Virginia, AWS). Multi-tenant with application-level isolation. Covered by SOC 2 Type 2, GDPR posture, and DPA.

    Core product used by sales/marketing/ops teams. Pulls data from connected CRMs.

    E-Signatures & FormsElectronic signature

    data: Stores signed documents, signer IP addresses, and date/time stamps on Proposify servers as the legal audit trail. UETA/ESIGN/eIDAS aligned.

    Built into the platform; documents locked from modification after signing.

    AI Proposal Generator / AI writing & automationGenerative AI assist

    data: Processes user-provided prompts and proposal content to generate templates/copy. No published disclosure of AI provider, retention, or whether inputs train models. A marketing claim states the free generator does not store data after generation, but this is not reflected in the privacy policy.

    Key gap for AI-tooling buyers: AI data-use terms are undocumented. Confirm with vendor before processing sensitive content.

    Developer API & IntegrationsAPI / integrations

    data: Programmatic access to proposal data over TLS-only endpoints; integrates with major CRM, invoicing, and sales platforms.

    Same US data residency and SOC 2 scope as the core platform.

    Payments (Stripe)Payment processing (subprocessor)

    data: Card data handled by Stripe (PCI Service Provider Level 1), not stored/processed directly by Proposify's own PCI environment.

    PCI coverage is inherited from Stripe, not a Proposify-held PCI certification.

    // What to watch

    • AI data-use undisclosed: vendor ships AI features but does not state whether customer inputs/proposals are used to train models, nor which AI provider is used.
    • No public bug bounty program (no HackerOne/Bugcrowd); vulnerability reporting is ad-hoc via support email.
    • Penetration testing not explicitly disclosed on vendor pages (SOC 2 Type 2 audit implies controls testing, but no standalone pentest statement).
    • US-only data residency; no EU/other region option, which may matter for EU customers despite stated GDPR compliance.
    • No ISO 27001 and no HIPAA/BAA: do not list this tool as suitable for regulated healthcare data.
    • Client previews on custom domains may be served over HTTP per the vendor's own security page.

    // At a glance

    Pricing model

    Subscription SaaS, per-user tiered plans plus a free trial / free tier; paid Professional Services for template design. Enterprise/custom plans available.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Proposify Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    proposify.com

    > Browse all vendor trust reports