// Trust & Security Report
Prowly.com Sp. z o.o. (a Semrush company)
Prowly PR & Media Relations Software, now offered as the Semrush AI PR Toolkit (modules: Newsroom, Press Release Creator, Emails, Contacts/Media Database, Media Discovery, Media Monitoring, Journalist Accounts, PR Reports, ProwlyAI)
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on semrush.com“We have fully implemented and support all processes related to PCI DSS compliance. Once a year, we confirm our compliance by passing an independent QSA audit. As a result, we have achieved a PCI DSS Level 1 certificate.”
Verify on semrush.com“Semrush's products adhere to GDPR requirements effective May 25, 2018.”
Verify on semrush.com“We also monitor other countries' privacy legislation such as CCPA, LGPD, and others and comply with their requirements to ensure the security of personal data.”
Verify on semrush.com“Not stated on the vendor's own security page. The Semrush security page lists PCI DSS Level 1 and GDPR/CCPA adherence but makes no SOC 2 claim. Third-party security-profile sites assert SOC 2, but no vendor-domain proof quote was found.”
Verify on semrush.com“Not stated on the vendor's own security page. No ISO 27001 claim found on semrush.com or prowly.com; only infrastructure partners (AWS, GCP, Digital Realty) carry their own certifications.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Controller entity is Prowly.com Sp. z o.o., established in Poland (EU). Hosting is on AWS, Google Cloud Platform, and Digital Realty data centers. No single guaranteed data-residency region is published; treat as EU/global.
ProwlyAI / AI features run under the Semrush Artificial Intelligence Services Terms. Verbatim: 'Semrush does not train or develop its models, and does not allow its third-party providers to train or develop its models on User Input.' and 'You retain all rights you may have in User Input.' Note: the Terms of Service warn the Services are not designed for sensitive information and users must not process sensitive data with them.
// Security controls
Bug bounty program
Yes, public program on HackerOne (hackerone.com/semrush). 'A Bug Bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws.'
semrush.comPenetration testing
Annual full pentest plus per-release feature testing: 'Semrush conducts penetration tests annually' and the security team 'conducts penetration tests of new features every week according to release policy.'
semrush.comData Processing Agreement
DPA published and incorporated into the Terms of Service: 'the Data Processing Agreement located at https://prowly.com/data-processing-addendum/ (the "DPA") will apply to Prowly's processing of such personal data on your behalf.'
prowly.com// Products & data scope
data: Prowly is the data CONTROLLER for Media Contact records (names, public contact details, position, social links) sourced from public data and database suppliers. Customers act as controllers for lists they build/export.
Media Contacts can request removal via privacy@prowly.com. Sensitive data may be processed only where the contact made it explicitly public.
data: Customer-uploaded contact data and campaign content; Prowly acts as PROCESSOR on the customer's behalf, governed by the DPA. Hard cap of 5000 recipients per mail.
Tracks recipient engagement (opens, follow-ups, earned mentions).
data: Monitors public news, blogs, forums; aggregates brand-mention and audience/demographic analytics. Largely public-source data plus AI summaries.
AI summaries are part of ProwlyAI.
data: Customer-published press content; visitor analytics via cookies on Prowly-powered newsrooms. Optional Google Drive integration accesses only files the user elects to share (non-restricted scopes).
Google API data is not used for ads and not transferred except to service providers.
data: User Input to AI features governed by Semrush AI Services Terms; NOT used to train Semrush or third-party models; user retains rights to input.
Prowly is being marketed as / folded into the 'Semrush AI PR Toolkit'; homepage shows transitional FAQ ('Can I still sign up for Prowly?').
// What to watch
- SOC 2 and ISO 27001 are NOT claimed on the vendor's own domain; third-party profile sites assert them but lack a verifiable vendor-domain proof quote. Marked unknown, not held.
- Product transition: Prowly is now branded/sold as the Semrush AI PR Toolkit, with a homepage FAQ ('Can I still sign up for Prowly?') suggesting standalone signup is changing. Listing should note the Semrush ownership and rebrand.
- Security posture is inherited from Semrush (parent); Prowly does not publish a separate trust center or its own SOC 2/ISO docs.
- ToS explicitly states the Services are not designed for sensitive information; not suitable for HIPAA/PHI or other regulated sensitive-data workloads.
// At a glance
Pricing model
Paid SaaS subscription (per Subscription Plan at prowly.com/pricing) with time-limited free trial; some Journalist Account features free. Now positioned as the Semrush AI PR Toolkit.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Prowly.com Sp. z o.o. (a Semrush company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
semrush.com