// Trust & Security Report
Proposify Inc.
Proposal, quoting, contract and e-signature software for sales teams
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on proposify.com“Proposify is SOC2 Type 2 certified to reflect our long-standing commitment to security. We have been audited against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. ... The certification effort was completed by the professional and independent third-party audit firm, 360 Advanced, Inc. We are happy to provide a report upon request.”
Verify on proposify.com“Proposify is committed to protecting our client's data and privacy. That is why we maintain our GDPR compliance and enable our customers to set their own compliance preferences as a controller. ... Our Terms of Use, Privacy Policy, and Data Processing Addendum are reflective of our GDPR commitment.”
Verify on proposify.com“Proposify uses Stripe to process payments. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most rigorous level of certification available in the industry.”
> Show 2 unconfirmed / not-held certifications
source: proposify.comNo mention of ISO 27001 on the Proposify security page or any vendor-owned page reviewed.
source: proposify.comNo mention of HIPAA, BAA, or healthcare compliance on the Proposify security page or any vendor-owned page reviewed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Northern Virginia, USA (AWS / US data residency, single multi-tenant datastore with application-level isolation)
Proposify ships AI features (AI Proposal Generator, AI writing/automation in the editor) but publishes no explicit statement about whether customer proposal content or inputs are used to train AI models, nor which AI provider powers the features. The privacy policy states 'We may share your aggregate anonymous information with third parties in order to improve the Website and Services or for marketing purposes' and 'to generate analytics for the improvement of the Website and Services,' but there is no specific AI-training disclosure. Customer-facing AI data-use is therefore undisclosed; treat default training behavior as unverified until confirmed with the vendor.
// Security controls
Encryption in transit
All data sent to or from Proposify is encrypted using 256-bit encryption (SHA-256 with RSA). API and application endpoints are TLS/SSL only; account access is HTTPS only. (Note: client previews on a custom domain may be served over HTTP.)
proposify.comPassword handling
Passwords are one-way encrypted (hashed); the vendor states they cannot decrypt them.
proposify.comHosting / network isolation
Hosted on AWS inside a Virtual Private Cloud, hardened to industry best practices, patched regularly, built with disaster recovery in mind.
proposify.comTenant isolation
No per-customer datastore; application-level privacy controls enforce tenant separation, backed by unit and integration tests that block deploys on any single failure.
proposify.comEmployee access
Hosting-provider access secured with 2FA; employees limited to environments they work with.
proposify.comBackups
Critical systems backed up nightly, stored off-site, tested and verified monthly.
proposify.comMonitoring & uptime
24/7 system monitoring; stated uptime 99.9%+; public status page at status.proposify.com.
proposify.comVulnerability reporting
Ad-hoc disclosure to support@proposify.com only. No public bug bounty program (HackerOne / Bugcrowd) found, and no formal penetration-testing program is disclosed on vendor pages.
proposify.comE-signature legal compliance
Built-in e-signatures compliant with UETA (1999), ESIGN (2000), and eIDAS (Regulation 910/2014/EC); records signer IP and timestamp, provides audit trail, locks documents after signing.
proposify.com// Products & data scope
data: Stores customer account data (name, business, billing address, card data), uploaded business contacts, and proposal/quote/contract content. US data residency (Northern Virginia, AWS). Multi-tenant with application-level isolation. Covered by SOC 2 Type 2, GDPR posture, and DPA.
Core product used by sales/marketing/ops teams. Pulls data from connected CRMs.
data: Stores signed documents, signer IP addresses, and date/time stamps on Proposify servers as the legal audit trail. UETA/ESIGN/eIDAS aligned.
Built into the platform; documents locked from modification after signing.
data: Processes user-provided prompts and proposal content to generate templates/copy. No published disclosure of AI provider, retention, or whether inputs train models. A marketing claim states the free generator does not store data after generation, but this is not reflected in the privacy policy.
Key gap for AI-tooling buyers: AI data-use terms are undocumented. Confirm with vendor before processing sensitive content.
data: Programmatic access to proposal data over TLS-only endpoints; integrates with major CRM, invoicing, and sales platforms.
Same US data residency and SOC 2 scope as the core platform.
data: Card data handled by Stripe (PCI Service Provider Level 1), not stored/processed directly by Proposify's own PCI environment.
PCI coverage is inherited from Stripe, not a Proposify-held PCI certification.
// What to watch
- AI data-use undisclosed: vendor ships AI features but does not state whether customer inputs/proposals are used to train models, nor which AI provider is used.
- No public bug bounty program (no HackerOne/Bugcrowd); vulnerability reporting is ad-hoc via support email.
- Penetration testing not explicitly disclosed on vendor pages (SOC 2 Type 2 audit implies controls testing, but no standalone pentest statement).
- US-only data residency; no EU/other region option, which may matter for EU customers despite stated GDPR compliance.
- No ISO 27001 and no HIPAA/BAA: do not list this tool as suitable for regulated healthcare data.
- Client previews on custom domains may be served over HTTP per the vendor's own security page.
// At a glance
Pricing model
Subscription SaaS, per-user tiered plans plus a free trial / free tier; paid Professional Services for template design. Enterprise/custom plans available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Proposify Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
proposify.com