The architecture, in plain words

• Your account email (used for sign-in, verification, password reset).
• The documents you upload, your humanized output, and processing metadata (status, AI scores).
• Voice Profile features extracted from your uploaded samples (n-gram counts, length distributions). The original sample text is also stored so you can review what trained the profile.
• Standard request logs (IP, user-agent, status code) kept for 30 days for debugging and abuse prevention.

When you delete a document, the original and humanized text are deleted from our database and object storage within 24 hours. When you delete your account, all of the above is purged.

Your documents are sent to the Anthropic Claude API for humanization. We do not fine-tune any model on your data. We do not aggregate your text into a training corpus. The Claude API call is made with our system prompt and your document as the user content, and the response is returned to you.

For details on Anthropic's data practices, see Anthropic's published privacy policy.

• All client connections go over HTTPS. TLS certificates are issued by Let's Encrypt and renewed automatically.
• Internal service-to-service traffic happens over private Docker networks, not the public internet.
• The Anthropic API call is HTTPS.

• User data lives in PostgreSQL with disk-level encryption on the hosting volume.
• Document bodies live in S3-compatible object storage (MinIO in our default deployment), with the same disk-level encryption.
• Passwords are hashed via the FastAPI/passlib defaults wired into the backend.
• Refresh tokens are stored as httpOnly cookies with the Secure and SameSite=Strict flags.

We use Plausible Analytics on the marketing site, which doesn't set cookies, doesn't collect personally identifying information, and is GDPR-compliant by default. We don't load Google Analytics, Facebook Pixel, or any other behavioural tracker. The dashboard and app routes load no analytics at all.

We use Sentry for error tracking. Sentry receives stack traces and request metadata, scrubbed of body content before transmission.

We do not currently hold SOC 2, ISO 27001, or HIPAA certification. We are honest about this rather than hand-waving — many customers don’t need those certifications, and the ones who do tend to ask up front.

Our honest trajectory:

• SOC 2 Type 1. Would begin a Vanta or Drata observation period when our first enterprise customer requires it. Type 1 takes roughly 3 months; Type 2 adds 6–12 months of operating-evidence collection.
• Penetration test. We have not yet commissioned a third-party pentest. We would prioritize this for any procurement process that requires it; expect 4–6 weeks lead time on the report.
• GDPR DPA.Standard processor-controller DPA template available on request. We’re a Frankfurt-hosted EU-resident service for European customer data (except the Anthropic API call, which is covered by Anthropic’s own DPA).
• ISO 27001.Not on the current roadmap. We’d revisit if a meaningful procurement process requires it.
• HIPAA. Not a regulated entity under HIPAA today. Customers in healthcare workflows should treat humanized output as sensitive content and apply their own data-handling controls.

If your procurement process requires any of the above, please tell us before we lose the deal. The trajectory we accelerate is the one customers actually pay for.

Production servers run in Frankfurt, Germany (EU). If you're a GDPR-jurisdiction user, your data does not leave EU servers except for the Anthropic Claude API call (which is governed by Anthropic's processing terms). NGN billing runs through Paystack, which has its own infrastructure and certifications.

Please send security reports to security@inksong.app. We acknowledge within 48 hours, fix critical issues within 7 days, and credit reporters in the changelog at their request.