How we protect your data and maintain the highest standards of information security.
Built-in security at every layer of the platform.
All data in transit is encrypted with TLS 1.3. At rest, we use AES-256 encryption for sensitive data. API keys are stored as bcrypt hashes.
We never store your original messages or files. Only SHA-256 hashes and classification metadata are retained. Your content passes through analysis and is discarded.
All services run in isolated Docker containers with read-only filesystems. PostgreSQL connections use TLS and connection pooling. Redis is encrypted in-transit.
We comply with GDPR and Ukrainian data protection law (Law 2297-VI). Data processing agreements available for enterprise clients. Right to deletion honored within 72 hours.
API key authentication with rate limiting. Role-based access for enterprise accounts. All administrative access logged and auditable.
We maintain a responsible disclosure program. Security researchers can report vulnerabilities via email. We respond within 48 hours and do not pursue legal action against good-faith reporters.
Each analysis request follows a strict pipeline: input β sanitization β classification β response. No raw content touches disk. Results are cached by SHA-256 hash only.
ML models, database, cache, and API run in separate containers with network policies. No service has direct access to another's filesystem or memory.
Prometheus metrics, structured logging, and anomaly detection. Alerts for unusual traffic patterns, error rate spikes, and resource exhaustion.
PostgreSQL WAL archiving with point-in-time recovery. Automated daily backups with 30-day retention. Disaster recovery tested quarterly.
Privacy is built into our architecture, not bolted on. Minimal data collection, purpose limitation, and automatic data expiry.
Core detection patterns and scoring logic are open for audit. Community contributions improve detection for everyone.
We use Plausible Analytics (privacy-friendly, no cookies). No Google Analytics, no Facebook Pixel, no cross-site tracking.
Documented incident response procedures with <4h acknowledgment SLA. Affected users notified within 72 hours per GDPR Article 34.
Analyzed content is auto-deleted after plan-specific retention: Free 7 days, Pro 30 days, Business 90 days, Enterprise custom. Verdict metadata (hash + threat level) is kept indefinitely for community threat intelligence.
LLM-based analysis may route through OpenRouter/OpenAI/Anthropic APIs. Message content is sent with no PII headers. Providers are contractually bound not to train on our data.
Found a security issue? We appreciate responsible disclosure. Please email us with details and we'll respond within 48 hours.
Report vulnerability