Trust center.

Compliance posture.

SOC 2 Type II audit in progress (expected completion Q3 2026). We'll link the report here once signed. In the meantime, our DPA and security controls are reviewable under NDA via hello@aiessaydetector.ai.

We comply with GDPR (EU/UK) and CCPA (California). A DPA is available at /dpa and can be executed on our paper or on institutional paper with reasonable edits.

Subprocessors.

A current list of infrastructure subprocessors is below. We provide 30-day notice of changes to this list via email to subscribed institutional customers. Request notifications by emailing security@aiessaydetector.ai.

Data protection.

All submitted essays are encrypted at rest (AES-256) and in transit (TLS 1.3). Access is limited to a small number of staff for abuse-investigation purposes and is logged. Retention is 30 days for most submissions, then deletion.

Security reporting.

Please report vulnerabilities to security@aiessaydetector.ai. We acknowledge within one business day and publish a coordinated-disclosure timeline. We do not currently run a public bug bounty but reward significant findings at our discretion.

Incident history.

No security incidents affecting customer data as of the last-updated date on this page. If that changes, a post-mortem will be published here within 30 days of resolution.

Data Processing and Retention Policies

User-submitted documents are processed through a multi-stage pipeline that prioritizes both analytical accuracy and data minimization. When a document is uploaded for AI detection analysis, the system extracts linguistic features, statistical patterns, and structural markers without retaining the full text beyond the active analysis session. Processing occurs in isolated containerized environments that are destroyed upon job completion, typically within 90 seconds of submission. Metadata associated with each analysis (timestamp, document length, detection score) is retained for 30 days to support account history and dispute resolution, after which it undergoes automated purging from production databases.

For users with registered accounts, analysis history is maintained in encrypted storage using AES-256 encryption at rest, with separate encryption keys rotated quarterly through AWS Key Management Service. Free-tier users receive a 14-day retention window for their submission history, while premium subscribers can access historical reports for up to 12 months. All retention periods comply with GDPR Article 5 principles of storage limitation and purpose specification. Users may request immediate deletion of their analysis history through the account dashboard, triggering a cascade deletion process that completes within 72 hours and includes backup systems.

Raw document content is never used for model training or service improvement without explicit opt-in consent obtained through a separate agreement. Third-party access to processing data is restricted to designated subprocessors operating under data processing agreements that mirror our primary privacy commitments. Regular audits of data flows occur quarterly, with findings documented in our SOC 2 Type II reports available to enterprise customers upon request.

Infrastructure Security and Network Architecture

The aiessaydetector.ai platform operates on a cloud-native architecture distributed across multiple availability zones within AWS us-east-1 and eu-west-1 regions. Network segmentation follows a zero-trust model where application servers, database instances, and machine learning inference engines reside in isolated Virtual Private Clouds (VPCs) with no direct internet exposure. All external traffic passes through AWS Application Load Balancers protected by AWS WAF (Web Application Firewall) rulesets configured to block OWASP Top 10 attack vectors, including SQL injection, cross-site scripting, and distributed denial-of-service attempts. Rate limiting at the API gateway layer restricts individual IP addresses to 100 requests per minute, preventing both abuse and reconnaissance activities.

Database systems employ encrypted connections using TLS 1.3 exclusively, with certificate pinning enforced for all inter-service communication. PostgreSQL databases storing user accounts and subscription data reside in private subnets accessible only through bastion hosts that require multi-factor authentication and maintain comprehensive audit logs. Automated daily backups are encrypted using customer-managed keys and replicated to geographically separate regions with a 35-day retention cycle. Point-in-time recovery capabilities enable restoration to any moment within the preceding seven days, supporting both disaster recovery and incident investigation requirements.

Vulnerability management follows a continuous assessment model using Snyk for dependency scanning, Trivy for container image analysis, and AWS GuardDuty for threat detection. Critical vulnerabilities identified in production dependencies trigger automated alerts to the security team with a four-hour response SLA. Monthly penetration testing conducted by third-party security firms validates control effectiveness, with remediation of high-severity findings completed within 15 business days. Security patches for operating systems and middleware are applied through automated pipelines within 72 hours of vendor release for critical updates.

Incident Response and Transparency Reporting

Our formal incident response program operates on a tiered classification system aligned with NIST SP 800-61 guidelines. Potential security events are categorized as Low (minimal user impact, no data exposure), Medium (limited data exposure affecting fewer than 100 accounts), High (significant service disruption or exposure of sensitive data), or Critical (widespread data breach or complete service outage). The security operations team maintains 24/7 monitoring of system logs, intrusion detection alerts, and anomaly indicators through a centralized SIEM platform. Upon detection of a Medium or higher incident, the on-call security engineer initiates the response protocol within 15 minutes, assembling a cross-functional team including infrastructure, application development, and legal stakeholders.

Since platform launch in January 2023, we have experienced zero High or Critical security incidents involving unauthorized data access. Three Medium-severity incidents have occurred: a April 2023 configuration error that temporarily exposed API documentation containing sanitized example payloads (resolved in 23 minutes), a September 2023 DDoS attack that degraded service performance for 47 minutes (mitigated through traffic filtering), and a December 2023 dependency vulnerability in a logging library that was patched before exploitation occurred. Each incident generated a detailed post-mortem report documenting timeline, root cause analysis, affected systems, and preventive measures. These reports are retained internally for five years and shared with enterprise customers under NDA upon request.

Transparency in security communication is operationalized through multiple channels. The public status page at status.aiessaydetector.ai displays real-time uptime metrics and historical incident summaries updated within 10 minutes of confirmed service disruptions. For incidents involving potential data exposure, affected users receive direct email notification within 72 hours containing specific details about what information was involved, remediation steps taken, and recommended user actions. Annual transparency reports published each February provide aggregated statistics on security events, data access requests from law enforcement, and subprocessor changes. This commitment to open communication builds trust while maintaining appropriate confidentiality around security implementation details that could aid potential attackers.