Trust Center

Hosting and region

Compliance PreCheck is hosted entirely on Amazon Web Services in the us-east-2 region (Ohio). No customer data leaves the continental United States during normal operation, except when sent to our analysis vendor as described in AI vendor posture.

Cloud provider

Amazon Web Services

Primary region

us-east-2 (Ohio)

Backup region

None — point-in-time snapshots stored in-region

Application layer

EC2 (hardened Ubuntu 24.04 LTS)

Database

PostgreSQL on AWS RDS, private subnet only

Object storage

S3 with bucket-level encryption and versioning

Encryption

In transit

All traffic to complianceprecheck.com and our subdomains is served over TLS 1.2 or higher, with TLS 1.0 and 1.1 explicitly disabled at our load balancer. Certificates are issued by AWS Certificate Manager and rotated automatically. HSTS is enforced.

At rest

All persistent storage is encrypted with AES-256:

• Database (RDS) — encryption enabled at volume creation using AWS-managed KMS keys; snapshots inherit encryption
• Object storage (S3) — bucket default encryption set to SSE-S3 or SSE-KMS; uploaded documents are encrypted before persisting
• Block storage (EBS) — all EBS volumes attached to production EC2 are encrypted at rest

Key material is managed by AWS KMS. We do not hold, export, or have direct access to private key bytes.

What happens when you upload a document

A compliance check takes your document and evaluates it claim-by-claim against the regulatory frameworks you select. Here is every place your document goes:

1. Browser → Compliance PreCheck over TLS 1.2+. The file lands in our private S3 bucket, encrypted at rest.
2. Background worker extracts text from your document (PDF/DOCX/TXT) inside our VPC — no third party sees this step.
3. Analysis API: we send the extracted text to Anthropic's API for claim-by-claim evaluation against each framework requirement. Anthropic processes the content in memory and does not retain it after the API call completes (see AI vendor posture).
4. Findings are written back to our database. The original file stays in S3 so you can re-read your report.
5. You're emailed a link to your report. No one outside Compliance PreCheck sees the finished report unless you share it.

AI vendor posture

Compliance PreCheck uses Anthropic's Claude API for document analysis. Two things matter about this relationship:

• Zero retention on API traffic. Under Anthropic's Commercial Terms, inputs and outputs of API requests are not retained after the request completes and are not used to train or fine-tune Anthropic's models. This is the same posture enterprise AI customers rely on.
• Data residency. Anthropic's API endpoints we use are in the United States. Your document does not leave US infrastructure during analysis.

If your procurement policy requires AI vendor attestations, we're happy to share Anthropic's relevant documentation and a data flow diagram on request.

Authentication and access control

Customer accounts

• Passwords hashed with bcrypt at Django's default work factor, plus salt
• Email verification required before a new account can run a check
• Session cookies marked HttpOnly, Secure, and SameSite=Lax
• Password reset via single-use, time-limited tokens; reset links expire after 24 hours
• CSRF protection on every state-changing request

Internal access

• Production database access is limited to a short list of named engineers, authenticated via SSH with public-key auth (passwords disabled)
• AWS IAM roles follow least-privilege; no shared root credentials
• Production EC2 is in a private subnet behind a bastion; no direct SSH from the public internet

Retention and deletion

We retain your documents and reports for as long as your account is active so that you can review them later. If you want something deleted sooner, we'll delete it — email support@ailaunchpods.com from the address on your account and we'll remove the specified report, document, and all associated findings within 30 days (typically within 48 hours).

If you close your account, we delete uploaded documents and generated findings within 30 days of account closure. We retain billing records (invoices, Stripe transaction IDs) for seven years to satisfy tax and financial audit obligations, as required by law.

Logs (application, access, error) are retained for 90 days and then rotated out.

Subprocessors

Vendors that process customer data on our behalf, what they do, and where they are:

We will update this list whenever a subprocessor is added or changed. If your agreement requires advance notification of subprocessor changes, let us know during onboarding and we'll honor a 30-day notice.

Incident response

We monitor application errors, authentication anomalies, and background-worker failures continuously. If we identify a security incident that affects customer data, we commit to:

• Notify affected customers within 72 hours of confirming an incident involves their data
• Provide a description of what happened, what data was involved, what we've done, and what (if anything) we're asking you to do
• Follow up with a post-incident write-up once the investigation closes

Security researchers and customers who believe they've found a vulnerability should email support@ailaunchpods.com with details. We won't pursue legal action against good-faith researchers who follow responsible disclosure.

Certifications roadmap

We're a young product and we're transparent about where we are. We do not currently hold third-party security certifications. Here's what's on the roadmap:

If your procurement process blocks on a specific certification, tell us — it helps us prioritize, and in some cases we can provide compensating documentation (security questionnaires, data flow diagrams, subprocessor lists, customized DPAs) that may unblock you.

Contact

Security questions, vulnerability reports, vendor assessment questionnaires, or custom DPA requests: support@ailaunchpods.com.

Privacy rights (access, correction, deletion, portability): see our Privacy Policy.