Security & compliance

All traffic to AI Detector API is encrypted in transit using TLS 1.2+. The site enforces HSTS with a preload-eligible policy. At rest, data is encrypted with AES-256 inside our cloud provider's managed storage.

API keys are stored as salted, one-way hashes. The raw key is shown to you exactly once at issue time; rotating a key invalidates the old hash immediately.

By default we do not store the text you submit for detection. Requests are processed in memory and the payload is discarded after the response is returned.

Customers can opt in to request-logging for debugging and audit — that's a per-account setting, off by default. Even when logging is enabled, payloads are encrypted at rest and purged after 30 days.

API access is gated by bearer tokens scoped to a single project. Pro and Enterprise customers can issue multiple keys, scope them to read-only or write-enabled, and rotate them from the dashboard.

Production access for our team is via SSO with hardware-key 2FA. We log every privileged access event and review the logs monthly.

The API runs on tier-1 cloud infrastructure with multi-region failover. Compute is isolated per tenant on Enterprise plans. Backups are encrypted, geographically replicated, and tested quarterly.

Subprocessors are limited to: Stripe (billing), our cloud provider (compute and storage), and an email provider for transactional mail. Full list available under NDA.

We're GDPR-ready. We process personal data only as a data processor on behalf of our customers, who remain the controller. Standard Contractual Clauses are available on Pro and Enterprise plans, and we will sign a Data Processing Agreement (DPA) on request.

For consumer-side cookie information, see our cookie policy. For general privacy, see the privacy policy.

SOC 2 Type II: in progress. We're working toward attestation with a target date in 2027. Customers can request our current security questionnaire (CAIQ-Lite) in the meantime.

HIPAA, PCI-DSS: not in scope for the current product. If you have a use case that requires either, let us know — we'll be straight with you about feasibility.

We maintain a documented incident response plan with severity tiers, escalation paths, and customer notification windows. For confirmed incidents affecting customer data we will notify affected customers within 72 hours, in line with GDPR Article 33.

To report a vulnerability or suspected incident, email [email protected] (PGP available on request). We commit to acknowledge reports within one business day and to keep researchers updated through resolution.