// trust
Trust & data handling
We assume breach and minimize what we retain. This page summarizes how the platform protects your data and who processes it. For full detail, see our Privacy notice and Security pages.
Core guarantees
- No model-authored code is executed on our servers — AI output is treated as untrusted data.
- Offline tools never store your input — they process it in memory and discard it.
- No plaintext at rest for Quantum Vault payloads, which are encrypted.
- No passwords — sign-in is by single-use email code stored only as a salted hash.
- Card data never touches our server — payments run on Stripe's hosted checkout.
How we protect data in transit and at rest
- HTTPS everywhere, AES-256-GCM encryption, and argon2id hashing where applicable.
- Prepared statements, CSRF protection on every form, and SSRF guards on outbound requests.
- A strict Content-Security-Policy and a hardened,
HttpOnly/SameSite=Strictsession cookie.
Sub-processors
- Anthropic — powers AI features; we send only the content needed for a request, without your email or IP.
- Stripe — payment processing; card data is entered on Stripe's hosted page.
- Google — advertising (AdSense) and, where enabled, analytics; these set their own cookies.
Assurance & compliance status — the honest version
We publish our real posture instead of implying certifications we don't hold. Here is exactly where we stand:
- SOC 2 / ISO 27001: we are not certified today. Our controls are built and mapped to SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 Annex A, and an independent assessment is on our roadmap as the business grows. Until then we don't ask you to take our word for it — see the next two points.
- Continuous automated self-assessment: the platform runs 30+ automated technical control checks against the live production system — not a questionnaire. Customers in a security review can request the full evidence report at security@neoshieldsecurity.com — it lists every control, its SOC 2 / ISO mapping, and the evidence, and it is clearly labeled a self-assessment.
- Security testing: no commissioned third-party pen-test report is published yet. What exists today: continuous internal testing using the platform's own scanning and audit tooling on every release, a public vulnerability disclosure policy with good-faith safe harbor and a machine-readable security.txt (RFC 9116), so independent researchers can and do test us. A commissioned penetration test is planned alongside the certification roadmap.
- Operational resilience (small team, by design): a one-person team compensates with automation and written procedure, not heroics — automated daily backups with rotation, sealed file-integrity monitoring over the entire codebase (HMAC-protected SHA-256 baseline, so tampering is detectable even at 3 am), a daily guardian job that re-verifies everything and alerts on any regression, database failover to a secondary storage mode, and a documented incident-response & continuity runbook covering triage, containment, recovery and customer communication.
Reporting a security issue
Found a vulnerability? See our Responsible Disclosure policy. We welcome good-faith reports and will work with you on remediation.