We measure how accurately AI describes other people's brands. That means we have to take a stricter line on our own.
Security isn't a checklist, but you have to start somewhere. These are the four areas where we hold the line, and the specifics behind each.
Customer data lives on Cloudflare Workers, D1, and R2. Every request terminates at a regional edge with DDoS protection and WAF rules tuned for our threat model.
There is no password to phish, leak, or reuse. Passkey authentication is the default. TOTP is supported as fallback. Recovery is device-based and rate-limited.
Every byte in and out is encrypted. Keys are rotated on a 90-day schedule. Database snapshots are encrypted independently and stored in a separate region.
We're mid-window on our SOC 2 Type II audit, with a Type I report available under NDA today. GDPR-aligned for EU customers; DPA available on request.
When you scan a domain, we generate a query set, send those queries to third-party AI models, and store the responses verbatim alongside the scores we derive. That bundle is the report. Without it, the report cannot exist.
The report is yours. It's encrypted at rest, scoped to your account, and exportable in full. We do not share it with other customers. We do not surface it on the public leaderboard unless you explicitly opt in.
For methodology improvement, we aggregate query patterns and scoring signals across all scans — never the raw responses, never anything identifiable. The aggregations stay inside the company.
We do not train AI models on your data. We are not in the foundation-model business and have no plans to be. If our policy on this ever changes, you'll see a 30-day notice email, and the change will be opt-in only.
We run a responsible-disclosure program — no formal bug bounty yet, but we acknowledge every report within one business day and credit researchers in our hall of fame. PGP key on request.
security@misquoted.ai