// Trust & Security Report

    Prowly.com Sp. z o.o. (a Semrush company) logo

    Prowly.com Sp. z o.o. (a Semrush company)

    Prowly PR & Media Relations Software, now offered as the Semrush AI PR Toolkit (modules: Newsroom, Press Release Creator, Emails, Contacts/Media Database, Media Discovery, Media Monitoring, Journalist Accounts, PR Reports, ProwlyAI)

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS Level 1
    HELD

    We have fully implemented and support all processes related to PCI DSS compliance. Once a year, we confirm our compliance by passing an independent QSA audit. As a result, we have achieved a PCI DSS Level 1 certificate.

    Verify on semrush.com
    GDPR
    HELD

    Semrush's products adhere to GDPR requirements effective May 25, 2018.

    Verify on semrush.com
    CCPA / LGPD (privacy regulation adherence)
    HELD

    We also monitor other countries' privacy legislation such as CCPA, LGPD, and others and comply with their requirements to ensure the security of personal data.

    Verify on semrush.com
    SOC 2 (Type I/II)
    HELD

    Not stated on the vendor's own security page. The Semrush security page lists PCI DSS Level 1 and GDPR/CCPA adherence but makes no SOC 2 claim. Third-party security-profile sites assert SOC 2, but no vendor-domain proof quote was found.

    Verify on semrush.com
    ISO 27001
    HELD

    Not stated on the vendor's own security page. No ISO 27001 claim found on semrush.com or prowly.com; only infrastructure partners (AWS, GCP, Digital Realty) carry their own certifications.

    Verify on semrush.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Controller entity is Prowly.com Sp. z o.o., established in Poland (EU). Hosting is on AWS, Google Cloud Platform, and Digital Realty data centers. No single guaranteed data-residency region is published; treat as EU/global.

    ProwlyAI / AI features run under the Semrush Artificial Intelligence Services Terms. Verbatim: 'Semrush does not train or develop its models, and does not allow its third-party providers to train or develop its models on User Input.' and 'You retain all rights you may have in User Input.' Note: the Terms of Service warn the Services are not designed for sensitive information and users must not process sensitive data with them.

    // Security controls

    Bug bounty program

    Yes, public program on HackerOne (hackerone.com/semrush). 'A Bug Bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws.'

    semrush.com

    Penetration testing

    Annual full pentest plus per-release feature testing: 'Semrush conducts penetration tests annually' and the security team 'conducts penetration tests of new features every week according to release policy.'

    semrush.com

    Encryption

    TLS 1.2+ in transit, AES-256 at rest.

    semrush.com

    Hosting / infrastructure

    AWS, Google Cloud Platform, and Digital Realty data centers.

    semrush.com

    Data Processing Agreement

    DPA published and incorporated into the Terms of Service: 'the Data Processing Agreement located at https://prowly.com/data-processing-addendum/ (the "DPA") will apply to Prowly's processing of such personal data on your behalf.'

    prowly.com

    Security contact

    security@semrush.com

    semrush.com

    // Products & data scope

    Media Database (Media Discovery / Contacts)Journalist & media-contact database

    data: Prowly is the data CONTROLLER for Media Contact records (names, public contact details, position, social links) sourced from public data and database suppliers. Customers act as controllers for lists they build/export.

    Media Contacts can request removal via privacy@prowly.com. Sensitive data may be processed only where the contact made it explicitly public.

    Emails / Media Pitch & OutreachEmail outreach and engagement analytics

    data: Customer-uploaded contact data and campaign content; Prowly acts as PROCESSOR on the customer's behalf, governed by the DPA. Hard cap of 5000 recipients per mail.

    Tracks recipient engagement (opens, follow-ups, earned mentions).

    Media Monitoring & PR ReportsMedia monitoring and analytics

    data: Monitors public news, blogs, forums; aggregates brand-mention and audience/demographic analytics. Largely public-source data plus AI summaries.

    AI summaries are part of ProwlyAI.

    Newsroom / Press Release CreatorOnline newsroom and content publishing

    data: Customer-published press content; visitor analytics via cookies on Prowly-powered newsrooms. Optional Google Drive integration accesses only files the user elects to share (non-restricted scopes).

    Google API data is not used for ads and not transferred except to service providers.

    ProwlyAI (AI PR Toolkit)Generative AI for PR (drafting emails/press releases, AI-cited media discovery)

    data: User Input to AI features governed by Semrush AI Services Terms; NOT used to train Semrush or third-party models; user retains rights to input.

    Prowly is being marketed as / folded into the 'Semrush AI PR Toolkit'; homepage shows transitional FAQ ('Can I still sign up for Prowly?').

    // What to watch

    • SOC 2 and ISO 27001 are NOT claimed on the vendor's own domain; third-party profile sites assert them but lack a verifiable vendor-domain proof quote. Marked unknown, not held.
    • Product transition: Prowly is now branded/sold as the Semrush AI PR Toolkit, with a homepage FAQ ('Can I still sign up for Prowly?') suggesting standalone signup is changing. Listing should note the Semrush ownership and rebrand.
    • Security posture is inherited from Semrush (parent); Prowly does not publish a separate trust center or its own SOC 2/ISO docs.
    • ToS explicitly states the Services are not designed for sensitive information; not suitable for HIPAA/PHI or other regulated sensitive-data workloads.

    // At a glance

    Pricing model

    Paid SaaS subscription (per Subscription Plan at prowly.com/pricing) with time-limited free trial; some Journalist Account features free. Now positioned as the Semrush AI PR Toolkit.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Prowly.com Sp. z o.o. (a Semrush company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    semrush.com

    > Browse all vendor trust reports