Security & Data Handling

When you send text to the compression API, our engine analyzes it using graph-based semantic extraction (PageRank over sentence relationships), token-level attention scoring, and multi-pass inlining. The compressed output is returned in the API response. The original input text is processed entirely in memory and not persisted beyond the API response — it is never written to disk or stored in a database.

For each compression request, we retain only:

• Input and output token counts (for usage metering and billing)
• A truncated 100-character preview of the input (for the dashboard history view)
• Compression ratio, algorithm used, and request timestamp
• Your user ID and API key identifier (not the key itself)

We do not store full documents, full compressed outputs, or any content beyond the 100-character preview.

We will provide 30 days' notice via email to all account holders before adding or replacing a sub-processor that handles user data.

All data in transit is protected by TLS 1.2+ (HTTPS). Data at rest in Supabase and Upstash is encrypted by the cloud provider using AES-256. Backups are also encrypted at rest.

User authentication is handled by Clerk with support for email/password, OAuth (Google, GitHub), and multi-factor authentication. Single Sign-On (SSO/SAML) and OIDC federation are available on Business and Enterprise Dedicated tiers.

API keys are hashed with HMAC-SHA256 before storage — plaintext keys are shown only once at creation time and are never retrievable afterward. Key creation, rotation, and revocation are audit-logged.

Internal access to production systems follows least-privilege principles: access is granted per role (engineering, on-call, billing-support), reviewed quarterly, and revoked immediately upon role change or departure. MFA is required for all production database, cloud-provider console, and SSH access. There are no shared root or service-account credentials. We log all production access for audit review.

Paid customers: Usage metadata is retained for the duration of your billing period plus 90 days to support dispute resolution and billing reconciliation.

Free tier: Usage metadata is retained for 90 days from your last API call, then permanently deleted.

Deleted accounts: Upon receipt of a verified deletion request (see §GDPR & Data Subject Rights), all account records, usage metadata, API key identifiers, team membership, and 100-character preview history are permanently purged within 30 days. Backups containing your data continue to roll off according to our standard 35-day backup retention window.

The 100-character preview is governed by the same retention windows as the parent usage record.

You have the right to request a full export of your stored data or permanent deletion at any time. To exercise these rights:

• Email privacy@gotcontext.ai with subject line DSR — [your account email].
• We acknowledge requests within 5 business days and complete verified requests within 30 days, per GDPR Article 12(3).
• Verification: we will reply from a recognized address asking you to confirm the request from your account email and (for deletion) to confirm in writing.

Export scope: account record, all usage metadata, API key identifiers (not the keys themselves), team membership, billing records, and the 100-character preview history. Deletion scope: same fields, permanently purged within 30 days of confirmed request.

SOC 2 Type II audit: We are actively building toward SOC 2 Type II readiness, with controls documentation maintained continuously. We have not yet engaged an independent auditor for the formal Type II observation period.

Prospective and current customers can request our current security questionnaire (SIG-Lite or equivalent), controls evidence package, and architecture-overview document by emailing security@gotcontext.ai. We respond within 5 business days.

Penetration testing: We have not yet conducted an external penetration test. We will commit to one before the SOC 2 Type II observation period begins; results will be available to enterprise customers under NDA.

A standard Data Processing Agreement (DPA) is available on request. Our DPA covers GDPR Art. 28 controller-processor obligations, sub-processor change notification (30 days), security measures, and breach notification timelines (see §Incident response & breach notification).

To request the DPA, email security@gotcontext.ai with subject line DPA request — [your account email]. We respond within 5 business days. Custom MSAs are available for Business and Enterprise Dedicated tier customers.

We maintain an internal incident response plan covering detection, containment, customer notification, and post-incident review.

Breach notification: In the event of a security incident involving your data, we will notify you within 72 hours of confirmed discovery. Notification will be sent to the email on your account. We will provide an initial scope assessment, mitigation actions taken, and a post-incident report within 30 days of resolution. Internally, all security incidents are tracked via security@gotcontext.ai.

To report a suspected vulnerability or security issue with the gotcontext.ai service, please email security@gotcontext.ai. We do not currently operate a paid bug bounty program but acknowledge responsible disclosure within 5 business days.