Security

How we protect your data

Last updated: November 14, 2025

Security at a Glance

Zero document retention minimizes attack surface
Customer-specific encryption - YOUR unique keys protect YOUR data
Automatic key rotation after every processing run
Advanced processing technology - proprietary algorithms, signal systems, and SOC 2 Type I and Type II certified third-party AI services
Data quality focus - ensuring data accuracy and quality through multi-layer validation
All data encrypted throughout the entire process
Zero-knowledge security - even if servers compromised, your data remains encrypted
You control your data - stored in YOUR Google Drive
Informational use only - data accuracy analysis, not financial advice
GDPR, CCPA, FCRA, ECOA compliant

Security-First Architecture

Built for privacy and security

Zero Document Retention

Your documents are NOT stored on our servers. Documents are processed in real-time during each processing run, then immediately deleted. This eliminates the largest attack vector: stored document data. Processing results are encrypted with YOUR customer-specific keys and stored in YOUR Google Drive AppData.

Stateless Processing

Each API request is independent. No session data persists beyond the active request. Minimal attack surface.

Request Isolation

Professional and Enterprise tiers use dedicated instances with network isolation to prevent cross-customer data leakage.

Data in Transit

HTTPS/TLS Encryption

All API requests and responses encrypted with TLS 1.3. No unencrypted HTTP traffic accepted.

SSL Certificates

Valid SSL certificates from trusted certificate authorities. Automatic renewal and monitoring.

API Security

API keys transmitted via secure headers. Rate limiting prevents abuse and DoS attacks.

Authentication & Authorization

OAuth 2.0

Google OAuth for user authentication. We never store passwords. OAuth tokens encrypted with AES-256.

Secure Sessions

Session cookies with httpOnly and secure flags. 7-day expiration with automatic refresh. CSRF protection enabled.

API Key Management

API keys hashed before storage. Rotate keys anytime from dashboard. Keys scoped to specific permissions.

Multi-Factor Authentication

MFA available for Enterprise tier accounts. Google account 2FA protects all OAuth logins.

Data at Rest

Customer-specific encryption architecture

Documents

NOT stored on our servers. Deleted immediately after processing. Zero document retention.

Processing Results

Encrypted with YOUR customer-specific keys and stored in YOUR Google Drive AppData. We cannot access your encrypted data without your OAuth permissions.

Encryption Keys

Customer-specific keys stored in YOUR Google Drive AppData. Automatically rotated after every processing run. Old keys discarded.

Account Data

Email, name, Stripe customer ID stored in encrypted database. AES-256 encryption at rest.

OAuth Tokens

Google OAuth refresh tokens encrypted with AES-256 before storage. Access tokens held in-memory only during Drive sync operations.

Logs

Error logs and usage metrics do not contain document content. Retained for 30 days maximum. Encrypted at rest.

Third-Party Security

Stripe (Payment Processing)

PCI DSS Level 1 certified. We never see credit card numbers. Only Stripe customer IDs stored.

Google (OAuth & Drive)

OAuth 2.0 with minimal scopes (drive.file, spreadsheets, drive.appdata). Users can revoke access anytime via Google account settings. Your encrypted data and keys stored in YOUR Google Drive AppData.

Third-Party AI Services

We use proprietary algorithms and signal systems to ensure data accuracy and quality. Third-party AI services are SOC 2 Type I and Type II certified, contractually prohibited from using your data for training, and process data ephemerally with encryption in transit.

Access Controls

Least Privilege Principle

Employees have minimal access required for their role. No employee access to customer documents (they're not stored).

Audit Logging

All administrative actions logged. Access logs reviewed regularly for anomalies.

Separation of Duties

Development, staging, and production environments isolated. Production access restricted to operations team.

Monitoring & Incident Response

Threat Detection

Automated monitoring for suspicious activity, failed login attempts, and API abuse. Real-time alerts for security events.

Incident Response Plan

Documented procedures for security incidents. Response team on-call 24/7 for Enterprise tier.

Breach Notification

If a data breach occurs, affected users notified within 72 hours. Compliance with GDPR and state breach notification laws.

Compliance & Certifications

GDPR Compliance

Data processing agreements available. Zero retention architecture simplifies compliance. Right to deletion automatic (delete account = delete data).

CCPA Compliance

We do not sell personal information. California residents have rights to access and delete data.

SOC 2 Type II (Roadmap)

Formal audit in progress for Enterprise tier. Current practices align with Security, Availability, Confidentiality principles.

Vulnerability Management

Regular Updates

Dependencies and infrastructure patched regularly. Security updates applied within 48 hours of disclosure.

Security Testing

Regular penetration testing and vulnerability scans. Third-party security audits annually.

Responsible Disclosure

Report security vulnerabilities to [email protected]. We acknowledge reports within 24 hours and provide updates every 72 hours.

Your Security Responsibilities

Keep API keys confidential. Rotate immediately if compromised.
Use strong, unique passwords for your Google account (OAuth)
Secure devices accessing the dashboard. Log out from shared computers.
Review Google OAuth permissions regularly. Revoke access if no longer needed.
Report suspicious activity to [email protected] immediately

Need help?

Need Help With Security?

Reach our legal & security team at [email protected] for incident disclosures or compliance questions.

[email protected]

We respond within one business day.