Your spec sheets are competitive assets. We treat them that way.

Your account data, structured document data, and uploaded files are stored in Supabase (PostgreSQL and object storage) hosted in the EU. All data is encrypted in transit (TLS) and at rest.

Uploaded source documents and extracted images live in private storage buckets with no public access path. Every time a file is displayed — a diagram in your results, the source PDF in the click-to-verify view — the server mints a short-lived signed URL scoped to that single file. Nothing is served from a public bucket, and URLs expire within an hour.

Database row-level security enforces isolation at the data layer: each user can read and write only their own rows. If you use teams, members access shared documents and glossaries only through verified team membership — there is no global read path.

Sign-in supports two-factor authentication (TOTP) with one-time recovery codes, and you can enable it from Settings in under a minute. Sessions are managed by Supabase Auth with essential cookies only.

Documents are processed through the Anthropic Claude API for extraction, structuring, auditing, and translation. Anthropic does not use API content to train its models. The transfer to Anthropic's US infrastructure is governed by Standard Contractual Clauses under its data processing terms.

Documents submitted to the anonymous DPP readiness check are never written to our database or file storage — the analysis is returned to your browser and no record of the document remains in our systems.

The application ships with defense-in-depth controls: strict Content-Security-Policy and HSTS headers, clickjacking protection (frames denied), uploaded files validated by content signature (not just file extension), enforced size limits, and per-route rate limiting.

REST API keys are stored as SHA-256 hashes — shown once at creation, never retrievable afterward — and every API request is rate-limited and metered against your plan. Stripe webhooks are signature-verified; payment card details never touch our servers.

Your documents are retained while your account is active. You can delete any document at any time; deletion removes the database record, the stored source file, and all extracted images in a single operation.

You can export your account data from Settings (GDPR Art. 20). Account deletion is a deliberate two-step flow — a typed confirmation plus a signed email link — so a stolen session or an unattended laptop cannot wipe your data. Once confirmed, all associated data is permanently deleted within 30 days.

We run no advertising or marketing trackers: no Google Analytics, no tag managers, no pixels, no fingerprinting. Product analytics are first-party and cookieless; website performance is monitored via Vercel's cookieless, no-personal-data tooling. The full detail — including every sub-processor and what it handles — is in our privacy policy.

SpecMake is built on infrastructure providers that hold independent security certifications: Supabase (database, auth, file storage — EU), Anthropic (AI processing — SOC 2 Type II), Vercel (hosting — EU-U.S. Data Privacy Framework), Stripe (payments — PCI DSS Level 1), and Resend (email). Each is bound by a GDPR-compliant Data Processing Agreement.

A current sub-processor list, our DPA, and answers to your security questionnaire are available on request.