prompt1

Trust

Security & Data Practices

We built prompt1 for developers — people who care deeply about what software does under the hood. This page explains exactly how we handle your data, what the plugin does and doesn't do, and how our infrastructure is secured.

The Data Boundary

What we collect

  • Prompt quality signals (clarity score, file ref count)
  • Workflow signals (test/lint/build frequency)
  • Security signals (permission mode, CLAUDE.md)
  • Session metadata (duration, prompt count, tool count)
  • Edit accept/reject rates
  • Token usage per session

What we never collect

  • Source code or file contents
  • Prompt text or Claude responses
  • File paths or repository names
  • Environment variables or secrets
  • Keystrokes or screen recordings
  • Git diffs or commit messages

Plugin Architecture

The plugin runs locally on your machine as a set of Claude Code hooks. It is open source and auditable — the full source lives in the plugin/ directory of our repository. Key design decisions:

  • Async-only — hooks fire after operations complete, zero impact on response time
  • Local aggregation — metrics are computed locally before transmission, raw data never leaves your machine
  • Fail-open — if the plugin encounters an error, it silently fails without disrupting your workflow
  • Uninstall anytime — one command to fully remove all hooks and local data

Infrastructure Security

E

Encryption

TLS 1.3 in transit. AES-256 at rest. Database connections use SSL with certificate verification.

A

Authentication

Passwords hashed with bcrypt (cost factor 12). JWT sessions with short expiry. Google OAuth as an alternative.

I

Isolation

Each organization's data is logically isolated at the database level. Telemetry data is partitioned per-user with label-based access control.

H

Hosting

Application hosted on Vercel (SOC 2 Type II). Database on Supabase (SOC 2 Type II). Telemetry on dedicated EC2 instances.

Team Privacy Boundaries

For team accounts, managers see aggregated team metrics and individual proficiency scores. Managers cannot see:

  • Individual prompt content or session transcripts
  • Specific coaching recommendations shown to individual developers
  • Minute-by-minute activity timelines

The team dashboard is designed for coaching conversations, not performance reviews.

Incident Response

In the event of a security incident, we commit to notifying affected users within 72 hours. We maintain an incident response playbook and conduct regular security reviews.

Responsible Disclosure

Found a security issue? We appreciate responsible disclosure. Please report vulnerabilities to contact@spectatr.ai. We aim to acknowledge reports within 24 hours and provide a fix timeline within 72 hours.