PRSM
Request a briefing

Security & trust

Sensitive diligence, handled like it matters

PRSM handles people, evidence, and conclusions that carry real consequences. The product is built around confidentiality, least-privilege access, and provenance — and around honest language about what we do and don't know.

Request a briefing

Data handling

Designed for least privilege and provenance

These are core product principles, not bolt-ons. The control direction is aligned with OWASP ASVS.

Tenant-scoped access

Reads are organization-scoped. One client's cases, subjects, and evidence are isolated from another's.

Assignment-based internal access

Investigators reach case material through assignment, not blanket access to everything in the platform.

Private evidence storage

Evidence files live in private object storage, not on a public bucket or a guessable URL.

Short-lived evidence links

Evidence is served through presigned, expiring URLs rather than permanent public links.

Role-based permissions

Client, investigator, QA, and admin roles gate what each person can see and do.

Audit logging

Sensitive actions write append-only audit events — a record of who did what, and when.

Client-safe status labels

Clients see clean status, not raw internal operational detail or unfinished work.

Internal notes stay internal

Investigator working notes are never selected into the client-facing report.

Human-in-the-loop

People approve findings. Automation never decides.

AI is optional assistance only — it can summarize evidence, extract candidate names and relationships, and suggest language. Investigators and QA reviewers approve findings and reports. Automation does not confirm a match, merge a record, or deliver a report on its own.

What we don't claim

  • We do not claim certifications or completed third-party audits we have not earned.
  • We do not present an absence of evidence as evidence of absence.
  • We do not state allegations as facts unless the source status supports it.
  • We do not collapse nuanced findings into one opaque risk score.

Evidence standards

Every material statement traces to a source

A finding is only as good as the record behind it. For each one, PRSM preserves the chain that lets you verify it later.

  • Source name and source type.
  • URL, document, or file reference where available.
  • Collection timestamp.
  • Evidence snapshot or uploaded file.
  • Matching logic.
  • Relationship path and hop count for indirect exposure.
  • Investigator notes, confidence, and unresolved questions.
  • Review status and approver, where applicable.

Generated summaries never substitute for the original evidence. The source record is always preserved alongside any synthesis of it.

Diligence on diligence

Ask us the hard questions

If your security or compliance team needs to vet how we handle data before you share a subject, we welcome it. Request a briefing and bring the questionnaire.

Request a briefing How it works

Human-reviewed. Evidence-backed. Handled with tenant-scoped confidentiality.