A plain-language summary of how we secure your data, who we share it with, and where we are on the road to formal certifications. Built for B2B buyers, procurement teams, and compliance reviewers.
Last verified . We update this page every quarter and whenever a subprocessor or control changes.
The short version of everything below. Each item is a control we have actually shipped today, not a roadmap promise.
| Control | Status | Notes |
|---|---|---|
| Encryption in transit | Live | TLS on every public endpoint (app, API, marketing, ML inference). |
| Encryption at rest | Live | Provider-managed disk encryption on hosted Postgres and object storage. |
| Two-factor authentication (TOTP) | Live | Self-serve setup with QR provisioning. Team-level enforcement available. |
| Passkeys (WebAuthn) | Live | Built on SimpleWebAuthn. Hardware-key compatible. |
| Password hashing | Live | bcrypt with per-user salt. |
| Session expiry & cleanup | Live | Server-side sessions with explicit expiry; daily cleanup job. |
| API key scopes | Live | Per-key least-privilege scopes enforced in middleware. |
| Rate limiting | Live | Express rate limit on auth, 2FA, passkey, and API surfaces. |
| Admin impersonation audit trail | Live | Every impersonation event written to the internal audit log. |
| Structured logging with PII redaction | Live | pino logger with redaction rules for sensitive fields. |
| Error monitoring | Live | Sentry on the API and the React app. |
| GDPR cookie consent | Live | Necessary / analytics / marketing categories, default opt-out. |
| GDPR data export | Live | Self-serve data export endpoint inside the app. |
| Granular email preferences | Live | Per-category opt-out for transactional, product, and marketing email. |
| Signed outbound webhooks | Live | HMAC-signed delivery with replay-protection metadata. |
| SOC 2 Type II | Planned | Working toward certification, target Q4 2026. |
We are deliberately conservative about compliance claims. If a framework appears here without the word "certified", we have not earned it and we will not say we have.
Status: planned, target Q4 2026. We are working toward SOC 2 Type II certification and have prioritised the control areas the audit will exercise (access management, change management, logging, vendor management, incident response). We do not yet hold a SOC 2 report and will not claim one until the audit completes.
Status: compatible. We support the data-subject rights that GDPR requires for individual users: a self-serve data export, account deletion on request, granular consent for non-essential cookies, and a documented retention model. Lacewing Technologies, the operating entity, is established in India and offers GDPR-compatible processing terms for customers in the EU and UK.
Status: compatible workflow. TextSight is a vendor tool that educators choose to use; we are not a "school official" in the FERPA sense. For institutional accounts that handle student records, custom data-processing terms (restricting use of submitted text, retention windows, and access to student-identifying metadata) are available on request for qualifying accounts; please contact legal@textsight.ai. See the educators page for the procurement workflow.
Card data is handled exclusively by Stripe, a PCI DSS Level 1 service provider. TextSight servers never receive raw card numbers, CVV codes, or full PAN values. The only payment data that touches our database is a non-sensitive Stripe customer identifier and the last four digits of the saved card returned by Stripe for display.
TextSight does not offer service to Pakistan and explicitly excludes it from country pages, comparison pages, FAQs, and procurement workflows. This is a product policy decision, not a vendor restriction.
Every account, free or paid, gets the same security controls. We do not gate 2FA or passkeys behind a paid tier, because gating safety features is a dark pattern.
TOTP-based 2FA with QR-code provisioning. Compatible with Google Authenticator, 1Password, Authy, and any other RFC 6238 authenticator. Admins on team plans can enforce 2FA across all members. If a user loses their authenticator device, recovery runs through verified-email account recovery from support.
Passkey support is built on SimpleWebAuthn and works with hardware security keys (YubiKey, Titan), platform authenticators (Touch ID, Windows Hello, Android biometrics), and password managers that ship passkey support. Multiple passkeys per account are supported, so you can register a phone, a laptop, and a hardware key on the same identity.
Sessions are stored server-side with explicit expiry. A daily cleanup job removes expired sessions. Users can view active sessions in account settings and revoke any session they do not recognise. Impersonation sessions issued by admin support are tagged in the JWT and surfaced in the UI banner so the user knows when an operator is in the seat.
Auth endpoints, the 2FA verification endpoint, and the passkey assertion endpoint each have per-IP and per-identity rate limits enforced before the handler runs. The API surface enforces per-key request budgets aligned with the scopes on the key.
API keys are created with explicit scopes (for example, scan-only or humanizer-only). The scope is enforced in middleware on every request, so a leaked scan key cannot be used to call billing or admin endpoints. Keys can be rotated or revoked at any time from the dashboard.
Account metadata (email, hashed password or OAuth identifier, name if provided), the text you submit to the detector or humanizer for the duration of processing, usage counters needed to enforce plan limits, billing identifiers from Stripe, and standard server logs.
Submitted text is retained for the user-controlled history window in the dashboard (default: until the user deletes it from history). Account-level usage counters and billing records are retained for as long as the account exists. Once an account is deleted, related text records and personal data are removed from our active databases within thirty days. Backups age out on the standard provider rotation and are not used to restore deleted user data.
Account deletion is available on request. Email privacy@textsight.ai from the account address (or any verified address on the account) and we will action the deletion. Once your account is closed, you lose access to history, exports, and billing portals. The deletion is permanent.
A self-serve data export is available inside the app. It packages your account metadata, history records, and billing summary into a downloadable archive.
The vendors below process customer data on our behalf. This list is the source of truth; if it does not appear here, we are not sharing customer data with them.
| Vendor | Purpose | Data they touch | Region |
|---|---|---|---|
| Hetzner Cloud | ML inference (AI detection, humanizer rewrites) | Submitted text during processing | Germany (EU) |
| DigitalOcean | Node API hosting and managed PostgreSQL | Account, history, usage, billing identifiers | Configurable, primary region in the EU |
| Vercel | App and marketing site hosting (static + edge) | Server logs, no submitted text | Global edge |
| Stripe | Billing, card processing, invoicing | Card details, billing address, tax identifier | Global, EU and US data centres |
| Postmark | Transactional email | Email address, message content | US |
| Anthropic | Claude API for humanizer LLM rewrites | Snippets of text submitted to the humanizer | US |
| Google (Gemini API) | Generative Language API for selected tools and social image generation | Snippets of text and image prompts submitted to those tools | US |
| Google Sign-In | OAuth sign-in with Google | Sign-in identifiers (email, Google account ID) | Global, EU and US |
| Google Analytics 4 | Product and marketing analytics (consent-gated) | Anonymised analytics events, page metadata | Global, EU and US |
| Google Tag Manager | Tag delivery container (currently empty) | Page metadata only | Global |
| Meta Pixel | Conversion tracking (marketing only, consent-gated) | Page views, anonymised event identifiers | Global |
| PostHog | Product analytics (consent-gated) | In-app behavioural events | EU region |
| Sentry | Error monitoring | Error traces, environment metadata, no submitted text | EU region |
| Cloudinary | Media hosting (logos, marketing images) | No customer-submitted text | Global CDN |
We notify customers of subprocessor changes by updating this page and dating the change in the next quarterly verification. Enterprise customers on a signed DPA receive proactive notice by email before a new subprocessor goes live.
No security incidents to date. We define a security incident as unauthorised access to customer data, exfiltration of submitted text, account takeover affecting more than one account, or a confirmed breach by a subprocessor that touched TextSight data. We will publish a short post-mortem on this page if any of those ever occurs, with the date, the scope, the user impact, the root cause, and the remediation.
If you are buying TextSight on behalf of a company, an institution, or a school district, the items below cover the procurement questions we get most often.
A DPA is available on request to legal@textsight.ai. Tell us the legal entity that will sign, the jurisdiction, and which products are in scope (Detector, Humanizer, API, Chrome extension, WordPress plugin). We can also accept your standard DPA template for review. If your procurement team needs custom data-processing terms beyond the DPA, those are available on request for qualifying accounts; please contact legal@textsight.ai and we will route it to the right reviewer.
Status: on the 90-day roadmap. SSO via SAML 2.0 and SCIM-based user provisioning are tier-1 items on the path to SOC 2 Type II. We are not shipping a "coming soon" badge inside the product; we will announce it on this page the day it is live.
We answer security questionnaires (CAIQ, SIG-Lite, custom vendor forms) in writing. Send the form to legal@textsight.ai with a target return date and we will reply within five business days. Once the questionnaire is complete we cache the answers, so subsequent updates ship faster.
Custom contracts are available on request for qualifying accounts; please contact legal@textsight.ai. Typical asks from institutional, educational, and large team accounts include data-residency commitments where supported by our subprocessors, custom retention windows, and named-contact escalation paths. We negotiate these on a per-account basis rather than from a fixed template.
TextSight is operated by Lacewing Technologies, registered in Maharashtra, India. GSTIN 27BSZPB5125R1ZW. SAC code 998314. LUT filed for FY 2026-27. Indian customers receive GST invoices automatically. International customers receive Stripe-issued invoices in the relevant currency.
To report a security issue, suspected vulnerability, or anything that looks like an active threat, email security@textsight.ai. We monitor this mailbox during business hours (IST) and acknowledge new reports the next business day at the latest. We do not yet run a public bug bounty programme, but we welcome responsible disclosure and we will credit researchers who report valid issues, with permission.
For privacy, data-subject, and account-deletion requests, write to privacy@textsight.ai. For procurement, contracts, and DPAs, write to legal@textsight.ai. For everything else, contact support.
No. We are working toward SOC 2 Type II certification with a target completion in Q4 2026. We will not claim certification until the audit closes and a report is in hand. Until then we publish the controls we have in place on this page so procurement teams can run their own diligence.
We treat ourselves as GDPR compatible. We support the data-subject rights GDPR requires (export, deletion, consent), we use granular cookie consent with default opt-out, and we offer a DPA on request. Lacewing Technologies, the operating entity, is established in India; for EU customers we use standard contractual clauses inside our DPA.
Detector and humanizer inference runs on Hetzner Cloud in Germany. The Node API and the managed PostgreSQL database that holds your history records run on DigitalOcean. The web app and marketing site are served by Vercel from a global edge CDN. We do not send your submitted text to ad networks, analytics vendors, or any subprocessor that is not on the list above.
No. We do not use submitted customer text to train the detector or the humanizer models, and we do not pass it to third-party model providers for their training purposes. The Anthropic Claude and Google Gemini endpoints we call for humanizer rewrites and selected tools are used under terms that exclude training on API content.
Email privacy@textsight.ai from a verified address on the account. We close the account, remove your personal data and history from our active databases within thirty days, and confirm by reply. Backup tapes age out on the standard provider rotation and are not restored to revive deleted user data.
Email legal@textsight.ai with the legal entity that will sign, the jurisdiction, and the products in scope. We can countersign our DPA or review your standard template. Custom data-processing terms are available on request for qualifying accounts; please contact legal@textsight.ai.
Not yet. SAML SSO and SCIM provisioning are tier-1 items on our 90-day roadmap as we prepare for SOC 2 Type II. The day they ship, this section will switch from "planned" to "live" with a link to the setup docs.
Email security@textsight.ai with as much detail as you can share without compromising the safety of any user data, including the steps to reproduce, the impact you observed, and any environment information. We acknowledge new reports the next business day at the latest and follow up with a tracked timeline.
We will publish a short post-mortem on this page with the date, the scope, the user impact, the root cause, and the remediation. Customers on a signed DPA receive proactive notice by email in line with the notification window in the contract.
Reach the right inbox in one click. We answer every message we receive.