Trust & Safety
Security Overview
How Verdact protects your documents and account data.
Zero Retention
Documents are never written to disk or database. Ever.
TLS Encrypted
All data in transit encrypted with TLS 1.2 or higher.
Hashed Keys
API keys stored as SHA-256 hashes. Raw keys never persisted.
Zero Document Retention
The most important security property of Verdact is what we don't do: we never store your documents. Every document submitted to /detect or /redact is processed entirely in-memory within the lifetime of the HTTP request. When the request completes, the document is gone. There is no object storage, no S3 bucket, no temporary files, no database rows containing document content.
This architecture means a breach of our database or storage layer could never expose your documents — because they aren't there.
Data Isolation
Each API request is stateless and isolated. There is no cross-customer data sharing. Documents from different API keys are processed in separate request contexts with no shared in-memory state.
Encryption
In Transit
All communication between your client and the Verdact API is encrypted with TLS 1.2+. Railway (our hosting provider) terminates TLS at the edge. HTTP requests are not accepted on the API domain.
At Rest
API keys are hashed with SHA-256 before storage. Only the hash is persisted in our database — we cannot recover or display your original key. Usage logs store a SHA-256 hash of the document ID, not content.
API Security Controls
- Bearer token authentication: All core endpoints require a valid API key
- Rate limiting: Per-IP and per-key limits enforced via slowapi (Redis-backed in production)
- Request timeout: Requests exceeding 120 seconds are terminated with HTTP 504
- File size limit: Documents capped at 25 MB
- Extension allow-list: Only .pdf and .docx accepted
- Admin endpoints: Separate admin key required for key provisioning
Security Headers
All responses include:
Strict-Transport-Security: max-age=31536000; includeSubDomains(HTTPS only)X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode=blockReferrer-Policy: strict-origin-when-cross-origin
Sub-processor Security
We select sub-processors based on their security posture. Key providers:
- Railway — SOC 2 Type II, data encrypted at rest, private networking
- Anthropic — processes text chunks only (never full documents or account data); enterprise API with data handling commitments
- Stripe — PCI DSS Level 1 certified
- Sentry — receives stack traces and request metadata only; no document content ever reaches Sentry
Incident Response
Error monitoring via Sentry provides real-time alerting on anomalous behavior. In the event of a confirmed security incident affecting customer data, we will notify affected customers within 72 hours of becoming aware.
Compliance Posture
- GDPR: We act as a data processor under our Data Processing Agreement
- CCPA: We act as a service provider and do not sell personal data
- Zero retention: Architectural guarantee, not a policy — there is nothing to breach
Responsible Disclosure
If you discover a security vulnerability, please report it to legal@verdact.app. We will acknowledge within 48 hours and aim to resolve confirmed vulnerabilities within 30 days. We ask that you give us reasonable time to remediate before public disclosure.