Security.

1. Infrastructure.

All production traffic runs on Cloudflare's edge network. TLS 1.3 is enforced; HTTP is redirected. HSTS is set with preload. Backend services run on Cloudflare Workers with isolate-level tenancy. No customer data is stored in log files longer than 180 days.

2. Encryption.

At rest: AES-256 on KV, R2, and D1 (managed by Cloudflare). In transit: TLS 1.3. Secrets (API keys, signing keys) are stored in Wrangler secrets and never embedded in worker bundles.

3. Access control.

Employee access to production systems is SSO-gated (Google Workspace with hardware security keys required for administrative roles). Least-privilege IAM. Every access event is logged to an append-only log.

4. Application security.

A strict Content Security Policy is applied to every page. Input is validated and bounded (essay submissions cap at ~3,000 words per free-tier check). Rate limiting is applied per-IP and per-account. Prompt-injection patterns are screened on inbound submissions to our LLM-backed endpoints.

5. Vulnerability reporting.

Report vulnerabilities to security@aiessaydetector.ai. PGP key on request. We acknowledge within one business day and work with you on a coordinated-disclosure timeline. We do not run a public bug bounty but reward significant findings at our discretion.

6. Incident response.

If a security incident affects customer data, we notify affected customers within 72 hours of confirmation, per GDPR Art. 33 and applicable US state breach-notification laws. A public post-mortem is published within 30 days of resolution, unless active investigation or legal process prevents disclosure.

7. Audit posture.

SOC 2 Type II in progress; expected completion Q3 2026. Prior Type I report available under NDA.

Encryption at Rest and Key Management Infrastructure

All user data, including uploaded documents, analysis results, and account information, is encrypted at rest using AES-256 encryption, the same standard employed by financial institutions and government agencies for classified information. Our storage infrastructure leverages encrypted volumes across all database instances and object storage systems, ensuring that data remains protected even in the event of physical media compromise. Encryption keys are never stored alongside the data they protect, maintaining cryptographic separation that prevents single points of failure in our security model.

Key management follows a hierarchical approach utilizing AWS Key Management Service (KMS) with customer master keys (CMKs) that undergo automatic rotation every 90 days. Data encryption keys (DEKs) are generated per-object for document storage and per-table for database records, then encrypted by the master keys in an envelope encryption pattern. Access to encryption keys is governed by strict IAM policies requiring multi-factor authentication, with all key usage logged to CloudTrail for audit purposes. Cryptographic operations are performed within FIPS 140-2 validated hardware security modules (HSMs), ensuring that key material never exists in plaintext outside secure boundaries.

Our key lifecycle management includes secure generation using cryptographically secure random number generators, strict access controls limiting key usage to specific service roles, comprehensive audit logging of all cryptographic operations, and secure destruction procedures when keys are rotated or retired. Backup encryption keys are stored in geographically separate regions with the same protection standards, and we maintain documented procedures for key recovery in disaster scenarios that require approval from multiple authorized personnel. Annual reviews of our encryption implementation are conducted by independent security auditors as part of our SOC 2 certification process.

Vulnerability Management and Coordinated Disclosure

Our vulnerability management program operates on a continuous assessment model rather than periodic scanning alone. Automated vulnerability scanners run daily against all production infrastructure, staging environments, and application code repositories, with findings automatically triaged based on CVSS scores and exploitability metrics. Dependencies are monitored through software composition analysis tools that alert our security team within hours of disclosed vulnerabilities in third-party libraries. We maintain a maximum remediation window of 14 days for critical vulnerabilities (CVSS 9.0-10.0), 30 days for high-severity issues (CVSS 7.0-8.9), and 90 days for medium-severity findings, with tracking metrics reviewed weekly by engineering leadership.

We maintain a public security disclosure policy accessible at aiessaydetector.ai/security/disclosure that encourages responsible reporting from security researchers. Qualifying vulnerability reports receive acknowledgment within 24 hours, with initial assessment completed within 72 hours. Our coordinated disclosure timeline typically allows 90 days for remediation before public disclosure, though we accommodate earlier publication for critical issues affecting user safety. We provide recognition to researchers through our security acknowledgments page and work collaboratively to understand attack vectors and validate fixes before deployment.

Penetration testing is conducted quarterly by independent third-party security firms specializing in web application security, with additional focused testing performed after major feature releases. These assessments include both authenticated and unauthenticated testing scenarios, API security analysis, and simulation of insider threat vectors. Findings are categorized using the OWASP Risk Rating Methodology and tracked through remediation in our issue management system. All penetration test results and remediation evidence are retained for compliance purposes and reviewed during our annual SOC 2 audit, ensuring that our vulnerability handling processes meet industry standards for SaaS platforms.

SOC 2 Type II Audit Scope and Breach Notification Protocols

Our SOC 2 Type II certification, conducted annually by independent auditors accredited by the AICPA, covers the Security and Confidentiality Trust Services Criteria across our entire production environment. The audit scope encompasses access controls, encryption implementation, change management procedures, vulnerability management, incident response, and business continuity planning. The Type II designation indicates that auditors not only evaluated our control design but also tested control effectiveness over a minimum six-month observation period. Our most recent audit report is available to customers under NDA through our sales team, providing detailed evidence of control testing including sample selections, testing procedures, and auditor observations.

The audit specifically examines our data classification schema, which categorizes user documents and analysis results as confidential data requiring the highest protection tier. Auditors review access logs to verify that role-based access controls are functioning as designed, test encryption key rotation procedures, and validate that background checks are completed for all personnel with production access. Change management controls are evaluated through sampling of production deployments to confirm that changes follow our documented approval workflow requiring security review for changes affecting authentication, authorization, or data handling. Network segmentation, database access patterns, and API authentication mechanisms are tested to ensure defense-in-depth principles are implemented throughout our infrastructure.

Our breach notification protocols, documented in our Incident Response Plan and validated during SOC 2 audits, define clear thresholds and timelines for user notification. In the event of unauthorized access to personal information or analysis data, affected users receive direct email notification within 72 hours of breach confirmation, consistent with GDPR requirements and representing best practice even for users outside EU jurisdiction. Notifications include specific information about the data types affected, the approximate number of users impacted, remediation steps already taken, and recommended actions for users. We maintain relationships with forensic investigation firms that can be engaged within hours for sophisticated incidents, and our incident response procedures are tested through tabletop exercises twice annually. Regulatory notifications are handled according to jurisdiction-specific requirements, with our legal team maintaining current knowledge of notification obligations across the regions we serve.