// trust
Trust & data handling
We assume breach and minimize what we retain. This page summarizes how the platform protects your data and who processes it. For full detail, see our Privacy notice and Security pages.
Core guarantees
- No model-authored code is executed on our servers — AI output is treated as untrusted data.
- Offline tools never store your input — they process it in memory and discard it.
- No plaintext at rest for Quantum Vault payloads, which are encrypted.
- No passwords — sign-in is by single-use email code stored only as a salted hash.
- Card data never touches our server — payments run on Stripe's hosted checkout.
How we protect data in transit and at rest
- HTTPS everywhere, AES-256-GCM encryption, and argon2id hashing where applicable.
- Prepared statements, CSRF protection on every form, and SSRF guards on outbound requests.
- A strict Content-Security-Policy and a hardened,
HttpOnly/SameSite=Strictsession cookie.
Sub-processors
- Anthropic — powers AI features; we send only the content needed for a request, without your email or IP.
- Stripe — payment processing; card data is entered on Stripe's hosted page.
- Google — advertising (AdSense) and, where enabled, analytics; these set their own cookies.
Reporting a security issue
Found a vulnerability? See our Responsible Disclosure policy. We welcome good-faith reports and will work with you on remediation.