Trust Center

Security practices and data handling

Summary: Your data is never stored. All traffic is encrypted. We don't train on your inputs. Enterprise DPA available on request.

Encrypted Transit No Data Storage DPA Available GDPR Ready

Data Handling

What We Don't Store

SafetyGates is designed for privacy by default:

✓Input text is never stored — Processed in memory, discarded immediately
✓No logging of content — We don't log the text you send
✓No training on your data — Your inputs are never used to train our models

What We Do Collect

For service operation and billing:

Request metadata — Timestamp, latency, text length (not content)
Usage counts — Number of API calls for billing
Error logs — Technical errors (without input content)

Retention: Metadata retained for 90 days for billing, then deleted.

Infrastructure Security

Encryption in Transit

All API traffic uses TLS 1.3 via Cloudflare. No unencrypted connections accepted.

DDoS Protection

Cloudflare's global network provides automatic DDoS mitigation on all plans.

No Public IPs

API servers are not directly internet-accessible. All traffic routes through Cloudflare Tunnel.

Rate Limiting

Built-in rate limiting prevents abuse and ensures fair usage.

Architecture Principles

Defense in depth — Multiple security layers from edge to application
Zero trust networking — No servers directly exposed to internet
Minimal data surface — Classification runs in-memory with no persistent storage
No external calls — Inference is self-contained; your data never leaves our infrastructure

Availability

We monitor API uptime 24/7 with automated health checks. View real-time and historical status:

View Status Page

Authentication & Access Control

API Key Security

API keys generated with cryptographically secure randomness
Keys are hashed before storage — we cannot retrieve your raw key
Keys can be rotated or revoked instantly
Failed authentication attempts are logged and rate-limited

Response Watermarking

Paid tier API responses include a cryptographic watermark that allows us to trace leaked responses back to their source and detect unauthorized redistribution. Watermarks do not contain your API key or any personally identifiable information.

Compliance

GDPR

Data minimization — We only collect what's necessary
No data retention — Input text is processed and immediately discarded
DPA available — Enterprise customers can request a Data Processing Agreement
Subprocessors — Cloudflare is our only subprocessor

SOC 2

We follow industry security best practices. SOC 2 certification is on our roadmap. In the meantime, we're happy to complete security questionnaires and provide documentation of our practices.

Export Controls

SafetyGates complies with U.S. export control laws. Service is not available to embargoed countries or sanctioned entities. See our Terms of Service for details.

Incident Response

Our Commitment

Detection — Automated monitoring for anomalies and security events
Response — Security incidents are triaged within 4 hours
Notification — Affected customers notified within 72 hours of confirmed breach
Post-mortem — Root cause analysis shared with affected parties

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: [email protected]
Response time: Within 48 hours
Safe harbor: Good-faith security research will not result in legal action

FAQ

Do you store the text I send?

No. Input text is processed in memory and immediately discarded.

Do you use my data to train models?

No. We will never use customer input data for training without explicit written consent.

Can I get a DPA?

Yes. Enterprise customers can request a Data Processing Agreement at [email protected].

Is SafetyGates SOC 2 certified?

Not yet. We follow SOC 2 principles and plan to pursue certification. We're happy to answer security questionnaires in the meantime.

Contact

Security: [email protected]
Legal/Compliance: [email protected]
General: [email protected]

Last updated: January 11, 2026