Read it for yourself.
Each page below is the authoritative source for its topic. We would rather you find the caveats here than be surprised by them later.
Security
How we protect data in transit and at rest, our authentication and access controls, and the honest limits of what we have hardened.
Read morePrivacy
What we collect, why, who we share it with, and the rights you have over your data — in plain language.
Read moreCompliance
Where we stand on SOC 2, HIPAA, and GDPR. We are not independently certified, and this page states exactly what that means.
Read moreAccessibility
Our commitment to WCAG-aligned design, what we have tested, and where we know we still have work to do.
Read moreSubprocessors
The third-party providers we rely on to run the platform, what each one does, and where your data is processed.
Read moreVulnerability disclosure
Found a security issue? Here is how to report it responsibly and what you can expect from us in return.
Read more
What we do not claim
We have not completed an independent SOC 2 audit, we are not a HIPAA platform by default, and our data is not end-to-end encrypted (AI prompts and files are sent to our AI provider to work). We align our controls with recognized frameworks and are candid about the gaps. Where we are headed on these is tracked on the non-binding product updates page.