Security
How we protect your data
A plain-English explanation of what data we collect, how it's secured, and how long we keep it.
The short version
- Uploaded files are deleted within 24 hours — we do not keep your images, audio, or video
- Text content previews (first 500 chars) are stored for your History — delete anytime
- Anonymous scans are never stored — if you scan without an account, nothing is saved
- We never sell your data or use it for advertising
- API keys are stored as one-way hashes — we cannot recover the original key
Data in transit
- All traffic served over HTTPS/TLS 1.3
- HSTS enforced with 1-year max-age
- Strict-Transport-Security header on all responses
Data at rest
- Supabase stores all scan metadata — AES-256 encrypted at rest
- Uploaded files stored in Cloudflare R2 — server-side encrypted
- API keys stored as hashed values only — plaintext never persisted
Data access
- Row-Level Security (RLS) enforced on all Supabase tables
- Users can only read and modify their own scan records
- Service-role key used server-side only, never exposed to clients
- Clerk handles authentication — we never store passwords
API security
- Public API requires valid API key — validated against Supabase on every request
- Per-IP rate limiting via Upstash Redis (60 req/min)
- Daily quota enforced per API key (1000 calls/day default)
- X-Frame-Options, X-Content-Type-Options, and COOP headers set
- Content Security Policy restricts script/style sources
Data retention
| Data | Retention |
|---|---|
| Scan results (verdict, confidence, signals) | Retained indefinitely — visible in your History |
| Uploaded files (images, audio, video) | Deleted from R2 after 24 hours automatically |
| Scan content previews (text) | First 500 characters stored for History display |
| Anonymous scans (no account) | Not persisted — results shown in session only |
| API keys | Stored as hash — retained until you delete them |
Responsible disclosure
If you discover a security vulnerability in Aiscern, please report it responsibly before disclosing publicly. We investigate all credible reports promptly.
Contact: security@aiscern.com