End-to-End Encryption
TLS 1.3 in transit
AES-256 at rest
No Prompt Storage
We never see or store
your AI prompts
Auto Data Deletion
Free tier deleted
within 24 hours
Compliance Ready
GDPR & CCPA
compliant
1. What Data We Process
To provide cost analysis, we process only metadata from your AI usage:
| Data Type |
Example |
Sensitivity |
| Model name |
gpt-4, claude-3-opus |
Low |
| Token counts |
150 input, 250 output |
Low |
| Team/Department |
engineering, marketing |
Medium |
| Timestamps |
2025-11-25T10:30:00Z |
Low |
What we do NOT process:
- Your actual prompts or AI responses
- Customer PII from your prompts
- Your API keys for OpenAI/Anthropic/Google
- Any content that passed through your AI calls
2. Infrastructure Security
2.1 Hosting
- Application: Railway (US-based, SOC 2 compliant)
- Database: Supabase PostgreSQL (AWS infrastructure)
- Payments: Stripe (PCI DSS Level 1 compliant)
2.2 Network Security
- All traffic encrypted with TLS 1.3
- HTTPS enforced (HTTP redirects to HTTPS)
- HSTS headers enabled
- Rate limiting to prevent abuse
- DDoS protection via Railway/Cloudflare
2.3 Application Security
- JWT-based authentication with short expiry
- CSRF protection on all forms
- Input validation and sanitization
- SQL injection prevention (parameterized queries)
- XSS protection headers
- Content Security Policy (CSP)
3. Data Protection
3.1 Encryption
| Layer |
Method |
| In Transit |
TLS 1.3 |
| At Rest (Database) |
AES-256 (Supabase managed) |
| At Rest (Backups) |
AES-256 |
| API Keys |
SHA-256 hashed (one-way) |
3.2 Data Retention
- Free tier: Data deleted within 24 hours of analysis
- Starter: 90 days retention, then auto-deleted
- Growth: 1 year retention
- Enterprise: Custom retention per agreement
3.3 Data Deletion
You can request complete deletion of your data at any time by emailing privacy@substacker.com. Deletion is completed within 30 days.
4. Access Control
- Principle of least privilege for all systems
- Multi-factor authentication for admin access
- Audit logging of administrative actions
- Regular access reviews
5. Compliance Roadmap
| Certification |
Status |
Timeline |
| GDPR |
Compliant |
Current |
| CCPA |
Compliant |
Current |
| SOC 2 Type I |
Planned |
Q2 2026 |
| SOC 2 Type II |
Planned |
Q4 2026 |
| ISO 27001 |
Planned |
2027 |
6. Incident Response
In the event of a security incident:
- Detection: Automated monitoring and alerting
- Containment: Immediate isolation of affected systems
- Notification: Affected users notified within 72 hours
- Remediation: Root cause analysis and fix
- Post-mortem: Public disclosure (if appropriate) and lessons learned
7. Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly.
Report a vulnerability
Email: security@substacker.com
We commit to:
- Acknowledge receipt within 48 hours
- Provide status updates every 7 days
- Not pursue legal action against good-faith researchers
- Credit researchers in our security advisories (if desired)
8. Enterprise Security Options
For Enterprise customers, we offer:
- Single Sign-On (SSO) with SAML 2.0
- Custom data retention policies
- Dedicated infrastructure option
- On-premise deployment
- Custom Data Processing Agreement (DPA)
- Security questionnaire completion
- Penetration test reports (upon request)
9. Contact