Navigation
resources
Security
Data Encryption
All data that Prospector stores is encrypted at rest using AES-256-GCM. This includes lead records, proposal drafts, contract details, and scoring history. Data in transit between your browser or CLI and GhostStack’s API is encrypted with TLS 1.3.
Database backups are encrypted with a separate key managed through AWS KMS. Backup keys are rotated every 90 days. Prospector does not store data in plaintext at any stage of its pipeline.
Credential Storage
Platform credentials (OAuth tokens for Upwork, Freelancer, and other connected platforms) are stored in Vault, GhostStack’s secrets manager. Vault uses envelope encryption: each credential is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a key encryption key (KEK) managed by AWS KMS.
Prospector never writes credentials to disk, environment variables, or log files. When a scan or proposal submission needs platform access, Prospector retrieves the token from Vault, uses it for the API call, and releases it from memory. Tokens are never cached in Prospector’s application layer.
Platform Access Scopes
Prospector requests the minimum API scopes needed for its features:
| Platform | Scopes | Purpose |
|---|---|---|
| Upwork | job_search (read) | Scanning job postings |
| Upwork | proposals (read/write) | Drafting and submitting proposals |
| Upwork | contracts (read/write) | Tracking won contracts |
| Freelancer | project_search | Scanning projects |
| Freelancer | project_bid | Submitting bids |
| Freelancer | project_manage | Tracking contracts |
You can revoke platform access at any time through the GhostStack dashboard or directly on the platform’s security settings page. Revoking access immediately invalidates all stored tokens for that platform.
API Token Security
GhostStack API tokens used for Prospector’s REST API are generated with the prospector scope. Tokens are displayed once at creation time and stored as SHA-256 hashes afterward. GhostStack cannot retrieve your raw token; if you lose it, you must generate a new one.
Tokens support optional IP allowlisting. If you only access the API from known IP addresses (CI servers, your office network), restricting token usage to those IPs adds a layer of protection against token theft.
Data Retention
Prospector retains lead data for 90 days after the last interaction. Leads that were never acted on (no proposal generated) are deleted after 30 days. Contract data is retained for 12 months after contract completion for analytics purposes.
You can request immediate deletion of all your Prospector data through the dashboard under Settings > Privacy > Delete My Data. This removes leads, proposals, contracts, scoring history, and any cached platform data. Vault credentials are deleted separately through the Vault interface.
Audit Logging
Every action Prospector takes on your behalf is logged: scans performed, proposals generated, proposals submitted, contracts tracked, and configuration changes. Audit logs are retained for 12 months and are accessible through the dashboard under Settings > Audit Log.
Audit log entries include the timestamp, action type, affected resource ID, and the source (API token, dashboard session, or CLI). They do not include proposal text or lead details to avoid storing sensitive client information in a secondary location.
Responsible AI Usage
Prospector uses AI models to generate proposal drafts. The prompts sent to the AI model include job descriptions (which are public platform data) and your profile information. Proposal drafts are generated through GhostStack’s AI infrastructure and are not used to train models.
Your prompt templates are stored in your GhostStack account and are not shared with other users. Generated drafts are stored as part of your proposal history and are subject to the same encryption and retention policies as other Prospector data.