Security & Trust

Enterprise-grade security, built in

Your data is your data. We protect it with encryption, strict access controls, and transparent practices. Not paywalled behind an enterprise add-on.

TLS 1.2+

AES-256 at rest

SSO / SAML

RBAC + RLS

Version history

Data residency

Infrastructure

Hosted on AWS with multi-AZ deployments across US regions for high availability
Cloudflare edge network in front of all traffic with TLS termination, automatic HTTPS, and certificate management at 300+ global PoPs
Cloudflare WAF with managed rulesets to block SQL injection, XSS, and OWASP Top 10 threats before they reach origin servers
Cloudflare DDoS mitigation (L3/L4/L7): always-on, automatic, with unlimited unmetered protection
Cloudflare Bot Management to filter malicious automated traffic, credential stuffing, and scraping
TLS 1.2+ encryption for all data in transit, end-to-end from client to Cloudflare to origin with full strict SSL mode
AES-256 encryption at rest for databases, file storage, and backups
Automated, encrypted backups with point-in-time recovery and cross-region replication
VPC isolation with private subnets, security groups, and strict firewall rules on AWS
Cloudflare firewall rules for IP allowlisting, geo-blocking, rate limiting, and request validation
AWS Shield for additional infrastructure-layer DDoS protection

SSO / SAML integration for enterprise identity providers (Okta, Azure AD, Google)
Multi-factor authentication (2FA) with TOTP authenticator apps
Role-based access control (RBAC) with owner, admin, editor, viewer per organization
Row-level security (RLS) enforced at the database layer per tenant
Session management with secure, HTTP-only cookies and automatic expiry
Per-link permissions (viewer, commenter, or editor) with optional passwords and expiry dates
Break-glass workflows with full audit trails for elevated access

Data ownership: you own your content. We claim zero IP rights over user-created data
Data residency options available on Enterprise plans
Soft-delete with 30-day retention before permanent purge. Accidental deletes are recoverable
Field-level masking for sensitive data in analytics pipelines
Least-privilege principle: services and APIs access only the data they need
GDPR-aligned data handling with purpose limitation, data minimization, and retention policies

We do NOT use your data to train or fine-tune AI models. Ever
AI inputs are processed in-memory and discarded after generation. No persistent storage
Content sanitization before and after AI processing to prevent injection attacks
All AI actions are auditable: inputs, outputs, and model versions are logged
Confidence thresholds on AI proposals. AI never auto-commits; humans always approve
PHI/PII redaction pipelines available for sensitive workloads (Enterprise)

Published Privacy Policy, Terms of Service, Cookie Policy, and Acceptable Use Policy
Consent management via Termly so users control cookie preferences at all times
GDPR-aligned processing with transparent data handling disclosures
Rate limiting, CSRF protection, HSTS, and Content Security Policy (CSP) headers
Content sanitization to prevent XSS and injection attacks across all user inputs
Working toward SOC 2 Type II and ISO 27001 certification

99.9% uptime for all plans. 99.99% SLA on Enterprise with financial credits
Multi-zone redundancy for database and storage layers
Automatic failover with zero-downtime deployments (blue-green via Vercel)
Real-time monitoring, structured logging, and alerting on all critical services
Disaster recovery drills with defined RPO/RTO targets
Version history with instant restore. Roll back to any previous state in seconds

SSO/SAML, dedicated support, custom integrations, data residency, 99.99% SLA, and unlimited AI credits, tailored to your organization.