Skip to main content
Deep AI Detector
Log in Sign up free

Security Overview

Last updated: 2026-06-07

Headlines

  • Encryption in transit (TLS 1.3 + HSTS preload) and at rest (AES-256).
  • Passwords hashed with Argon2id; no plaintext storage.
  • Submitted text purged within 24 hours unless you opt in to history.
  • SHA-256 hashing of IPs; we never store plaintext IP.
  • MFA-protected administrative access; least-privilege IAM.
  • Edge-served on Cloudflare with WAF, bot defence, and global anycast.
  • Coordinated vulnerability disclosure via /.well-known/security.txt.
  • SOC 2 Type II audit planned within 12 months of GA.

1. Hosting & network

  • Service runs on a globally-distributed serverless platform. Compute, database, cache, and object storage are all served from the edge with no fixed-region single point of failure.
  • ML inference runs on serverless GPU infrastructure, called via HMAC-signed requests over TLS.
  • No public-internet origin servers. No SSH or RDP into a production host because there is no host.
  • WAF rules block known abusive patterns; bot-protection challenges are used for human-verification on sensitive endpoints.

2. Encryption

  • In transit: TLS 1.3 only; HSTS with preload directive; HTTP→HTTPS automatic 308; SSL Labs A+ target.
  • At rest: AES-256 for D1, R2, KV (provider-managed envelope keys).
  • Sensitive fields: passwords hashed with Argon2id (memory-hard); session tokens are 256-bit random, HMAC-signed; CSRF tokens per-session.
  • Inter-service: HMAC-signed bodies on Modal calls; API-key bearer + per-key rotation.

3. Access control

  • Administrative access requires single sign-on with hardware-backed MFA (WebAuthn) where supported.
  • Least-privilege IAM with role separation: dev / ops / billing / support.
  • Quarterly access reviews. Off-boarding within 24 hours of departure.
  • Admin actions logged to a tamper-evident audit log retained 12 months.
  • Customer support cannot read submitted text by default — opening a ticket on a detection requires explicit customer consent and produces an audit-log entry.

4. Data handling

  • Submitted text purged from cache and logs within 24 hours unless retained per the plan.
  • Result cache keyed by sha256(text) — never stores plaintext.
  • Anonymous-tier rate limit keyed by salted SHA-256 of IP — never stores plaintext IP.
  • Translation cache stores hash + result only, no plaintext.
  • Backups encrypted; point-in-time recovery on D1; daily R2 snapshots; restore tested quarterly.
  • Retention schedule documented in Privacy Policy §10.

5. Application security

  • All external input validated with Zod schemas.
  • CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy.
  • CSRF token on every state-changing request.
  • SameSite=Lax cookies; HttpOnly and Secure always.
  • No eval(), no inline scripts (CSP nonce-only).
  • Output escaping audited at template boundaries.

6. Bot & abuse defence

  • Cloudflare Turnstile on sign-up, login, password reset.
  • Rate limiting at the edge with KV-backed counters.
  • Anomaly heuristics flag rapid IP / account creation, repeated failed logins.
  • Adaptive blocking for known abuser ASNs and residential-proxy ranges.

7. Vulnerability management

  • Dependency scanning on every PR (npm audit + Renovate).
  • Quarterly review and patch of base images and Modal images.
  • Critical CVEs patched within 7 days of public disclosure.
  • Annual third-party penetration test once we reach $1M ARR or 10k MAU, whichever first.

8. Incident response

  • Documented runbooks for credential leak, sub-processor breach, DDoS, data exfiltration.
  • On-call rotation with primary + backup.
  • Public post-incident summary within 5 business days for major incidents.
  • Customer notification within 72 hours of confirmed personal-data breach (per Privacy Policy §12 and DPA §9).

9. Coordinated vulnerability disclosure

We welcome reports. Read /.well-known/security.txt and email [email protected]. Out of scope: spam, missing security headers without demonstrable impact, social-engineering attacks against employees, DoS, and rate-limit bypass that does not lead to data exposure. We commit to acknowledge within 2 business days, triage within 5, and not pursue legal action against good-faith researchers who follow the policy.

10. Compliance & certifications roadmap

  • Current: GDPR / UK GDPR / CCPA / CPRA / LGPD compliance (see Privacy Policy); standard DPA available with EU SCCs.
  • Planned within 12 months of GA: SOC 2 Type II.
  • Planned within 24 months of GA: ISO 27001.
  • If demand: HIPAA / BAA (only with healthcare-vertical customers and an explicit signed BAA).

11. Sub-processors

See Privacy Policy §8 and the DPA.

12. Business continuity & resilience

  • Cloudflare global edge — no single point of failure.
  • Stateless Workers — restart instantly.
  • Modal warm pool to absorb spikes; cold-start fallback documented.
  • Webhook handlers idempotent and queued.

13. Personnel

  • Background checks where lawful for new hires with production access.
  • Confidentiality agreements signed before access.
  • Mandatory annual security + privacy training.

14. Contact

Security questions: [email protected]. Privacy: [email protected].