Prowi | GDPR FAQ & Data Security

FAQ about our GDPR

Last updated: December 2025

Introduction

At Prowi, we take the security and privacy of your data seriously. This page provides an overview of our security practices, compliance status, and the measures we take to protect your information.

Security Overview

Prowi is a commission and variable salary management platform that processes sensitive financial and employee data. We have implemented comprehensive security measures to ensure the confidentiality, integrity, and availability of your data.

Infrastructure Security

Cloud Hosting

Prowi is hosted on Heroku, which runs on Amazon Web Services (AWS) infrastructure. All data is stored exclusively within the AWS EU-North-1, Stockholm.

Our infrastructure providers maintain industry-leading security certifications:

• SOC 1, SOC 2, SOC 3

• ISO 27001

• ISO 27017

• ISO 27018

• PCI DSS Level 1

Data Encryption

• Data in transit: TLS 1.2/1.3 (HTTPS)

• Data at rest: AES-256 encryption

• Database backups: AES-256 encryption

Network Security

• DDoS protection (provided by AWS/Heroku)

• Network-level firewalls and security groups

• Traffic monitoring and anomaly detection

• Intrusion detection systems

Application Security

Authentication

• Two-Factor Authentication (2FA): Required for all users

• Single Sign-On (SSO): Supported for enterprise customers

• Strong password policy: Minimum 12 characters with complexity requirements

• Account lockout: Enabled after multiple failed login attempts

• Session management: Automatic timeout after inactivity

Access Control

• Role-based access control (RBAC): Users only have access to data they need

• Tenant isolation: Each customer's data is logically separated

• Principle of least privilege: Minimum necessary access granted

• Regular access reviews: Permissions reviewed and adjusted as needed

Security Monitoring

• Activity and audit logging

• Automated alerts for suspicious activity

• Regular log reviews

• Continuous infrastructure monitoring (via Heroku/AWS)

Organisational Security

Internal Access

Access to customer data within Prowi is strictly limited:

• CEO: Full access (oversight)

• CTO: Full access (technical administration)

• Customer Success: Account-level admin (no direct database access)

All employees:

• Are bound by confidentiality obligations in employment contracts

• Receive data protection training upon onboarding

• Use 2FA for all system access

• Have full disk encryption enabled on devices

Vendor Security

• All sub-processors are vetted for security and compliance

• Data Processing Agreements (DPAs) required for all vendors processing personal data

• Annual review of vendor compliance and security posture

Data Protection & Privacy

GDPR Compliance

Prowi is fully compliant with the General Data Protection Regulation (GDPR). We act as a data processor on behalf of our customers and have implemented appropriate technical and organisational measures to protect personal data.

Key documentation:

• Privacy Policy: prowi.io/en/privacy

• Data Processing Agreement (DPA): prowi.io/en/dpa

Data Location

All customer data is stored and processed within the European Union (Stockholm, Sweden). We do not transfer customer data outside the EU/EEA.

Data Subject Rights

We support our customers in responding to data subject requests including access, rectification, erasure, and portability. Contact us at legal@prowi.io.

Business Continuity

IT Contingency Plan

We maintain a documented IT Contingency Plan covering disaster recovery and business continuity. Key elements include:

• Crisis management team with defined roles

• Recovery procedures for critical systems

• Regular testing through simulations and drills

• Annual review and updates

Full plan available at: prowi.io/en/it-contingency-plan

Backup & Recovery

• Daily automated backups

• 90-day backup retention

• Encrypted backups stored in AWS EU region

• Tested recovery procedures

High Availability

• Hosted on redundant infrastructure (AWS)

• Automatic failover within EU region

• No data transfer outside EU during failover

Certifications & Compliance

• GDPR: Compliant

• Danish Data Protection Act: Compliant

• ISAE 3000: In progress (expected 2026)

Our infrastructure providers hold extensive certifications including SOC 2, ISO 27001, and PCI DSS.

Incident Response

In the event of a security incident or data breach:

• Immediate containment and investigation

• Notification to affected customers within 48 hours

• Notification to supervisory authority within 72 hours (where required)

• Post-incident review and remediation

Report security concerns to: legal@prowi.io

GDPR FAQ

Where is my data stored?
All data is stored in AWS EU-North-1, Stockholm and never leaves the EU.

Is my data encrypted?
Yes, all data is encrypted in transit (TLS 1.2/1.3) and at rest (AES-256).

Who has access to my data?
Only authorised Prowi personnel with a business need. Access is logged and reviewed.

Do you perform penetration testing?
Our infrastructure provider (Heroku/AWS) undergoes regular penetration testing. As Prowi scales, we plan to conduct independent application-level penetration testing.

How can I report a security issue?
Please contact legal@prowi.io immediately with any security concerns.

Do you have external consultants outside the EU who can access data?
‍No.

How quickly can you restore a backup if an error occurs?
‍The database is backed up daily. Restoration can occur with immediate effect.

How often do you test your restore procedure?
‍Annually.

What do you do to prevent DDoS attacks?
‍We operate on a managed service with Heroku, who has primary responsibility. They state the following regarding their DDoS mitigation:

"Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed."

In addition to the protection provided by our provider, we have implemented request throttling at the application level. Prowi uses AWS WAF (Web Application Firewall).

Can we get SSO with Microsoft or similar, so we can easily manage security access, for example when an employee leaves?
‍Yes, this is an integrated part of our solution.

Can we get a copy of your Data Processing Agreement so we can review it?
‍Our always up-to-date DPA can be found at https://prowi.io/dpa/ and it is also attached as an appendix to the contract we enter into with you.

How long do you store data on our employees and revenue?
‍Data is deleted after 5 years — unless you actively delete the data yourself.

What data is stored and where? (Salesperson, IP, products, revenue, emails?)
‍Everything is stored on the platform (app.prowi.io) and housed in AWS EU-North-1, Stockholm.

We only store the data needed to calculate the basis for your bonus and commission calculations. Regarding personal data under GDPR, this is specified in our DPA under section 2.2, but can be summarised as: base salary, individual goals, email, and name.

Is the data separated or stored in one place?
‍All data is, as is typical for a SaaS solution, stored in a single database with multi-tenancy at the row level. All entities have a customer ID, which is globally scoped as part of the core application. This means customers cannot access each other's data under any circumstances.

Is data stored other than our employees' revenue: such as phone numbers from calls or customer names?
‍We only store the data that you send us and that is necessary to calculate your models. Customer name is often an identifier used to understand and communicate the calculated and reported bonus and commission.

How is our (the customer's) data encrypted?
‍Your data is encrypted at rest in the database. Additionally, all traffic to and from Prowi is SSL encrypted.

Who has access to our data?
‍Your dedicated Prowi consultant and management.

Will we be informed when you enter into an agreement with a new sub-processor?
‍Yes, you will be informed. This is stated in section 10 of our DPA.

Do you use our data for marketing, resale, etc.?
‍We would like permission to use your logo as a reference on our website and to create a customer success story once you have been operational for a while and experienced the positive effects. Beyond that, none of your data or knowledge about your company is used for marketing purposes or communicated externally. This is also stated in our standard Terms of Use.

What is your contingency plan in the event of an IT security breach?
‍Read our IT contingency plan at https://prowi.io/it-beredskabsplan/

Who is our contact person for inquiries about the Data Processing Agreement and general requests for deletion/handling of data?Rasmus Godske
Prowi CTO
‍rasmus@prowi.io

Do you have backup servers/connections in case of downtime for different parts of your IT supply chain?
‍Yes, we do. This is currently a simple setup, as Prowi currently consists of a single monolith application, but regular backups are taken that can be quickly re-established.

Are employees trained in GDPR and IT security?
‍Yes, all employees at Prowi complete basic IT security exercises and GDPR training during their onboarding process.

Is there an SLA?
‍Yes, we have maintained 99.5% uptime to date, and this is our service level.