DataSecurityisOurTopPriority

Your patent data is protected by the strictest security standards

Core Trust Principles

How Patenty protects your data

No AI Model Training

Customer data is never used for AI model training

Neither Patenty nor third-party AI providers use your patent data for model training. Data is only used to deliver the requested services.

Highest-Level Logical Separation

Each user's data is completely separated

Row-Level Security (RLS) ensures complete data separation between users. No user can access another user's data.

End-to-End Encryption

Encrypted in transit and at rest

All data is encrypted with TLS 1.3 during transmission and AES-256 at rest.

Complete Deletion

Data fully removed upon deletion

When a customer deletes data, it is immediately removed from the live database, including related files and metadata. Backup copies expire and are purged on their retention cycle.

CSA STAR Level 1

Global cloud security certification

We have achieved Cloud Security Alliance's Security, Trust, Assurance and Risk (STAR) program Level 1 certification.

Third-Party Compliance

All infrastructure partners are security certified

All infrastructure partners including Vercel, Supabase, and Google Cloud hold global security certifications such as SOC 2 Type II and ISO 27001.

Security Certifications

Trusted global security standards compliance

CSA STAR Level 1

Infrastructure Partner Certifications

Vercel

SOC 2 Type II, GDPR, ISO 27001 Aligned

Supabase

SOC 2 Type II, HIPAA Eligible, GDPR

Google Vertex AI

ISO 27001, SOC 2, GDPR, FedRAMP

OpenAI

SOC 2 Type II, GDPR

Mistral AI

SOC 2 Type II, GDPR

Data Handling Policies

Storage & Management

Encryption applied both in transit and at rest
Complete tenant isolation structure per user
Hosted on secure cloud infrastructure (Supabase - AWS-based)

Deletion Policy

Complete removal from database when you delete
Immediately removed from the live DB; backup copies are deleted when their retention period expires
Complete deletion including related files and metadata

AI Usage Policy

Never reused for AI model training, internal analysis, or generating other users' specifications
Used only for processing the specific user's service requests
LLM providers also do not use customer data for model training

AI Data Governance

Customer data protection policies when using AI services

LLM Provider Data Sharing Policy

LLM providers use customer data only for providing Patenty services and do not use it for AI model training.

Zero Data Retention (external LLM routing)

Sensitive customer patent data is processed either on our primary Google Vertex model (Premium plans plus all drawing and vision analysis) or — when value-tier economy AI generation is enabled — by a vetted subprocessor (OpenRouter, Inc.) that processes the data on our behalf under enforced Zero Data Retention (data-collection denied on every request: no storage, no training). Wherever your data is processed, Zero Data Retention and no-training are contractually enforced. Our full, current list of subprocessors is available at /privacy/subprocessors.

No Customer Data Model Training

Customer data is never used to train models. Our primary model, Google Vertex AI, does not use customer prompts or outputs to train its foundation models, per its public data governance policy.

PII Minimization

Only email addresses are collected for authentication. No other personally identifiable information (PII) is collected.

Data Hosting Location

Data is hosted on secure cloud infrastructure (Supabase - AWS-based).

Data Retention Policy

Data is retained only while there is a business need or regulatory requirement, then securely deleted.

Technical Security Implementation

Actual security features based on CSA STAR Level 1 certification

Authentication & Access Control

(6)

Zero Trust Authentication - Authentication and authorization verification for all requests

RBAC (Role-Based Access Control) - user, investor, admin role-based access control

Rate Limiting - Multi-layer request throttling

Suspicious Activity Detection - Detection and blocking of abnormal login attempts

Session Management - Secure session management and validity verification

Project-Level Access Control - Granular access permissions per project

Data Protection

(7)

Row-Level Security (RLS) - Database row-level security policies

Input Validation - Zod schema-based input validation

XSS Prevention - XSS attack prevention via DOMPurify

Sensitive Data Redaction - Automatic removal of sensitive information from logs

Security Headers - CSP, HSTS, X-Frame-Options

Secure Deletion - Safe deletion of related data when users delete accounts

SSRF Protection - Validates user-supplied URLs to block server-side request forgery

Monitoring & Audit

(3)

Comprehensive Audit Logging - Audit logs for all user activities

Security Event Tracking - Security event tracking and severity classification

Sentry Integration - Real-time error monitoring (client & server)

Development Security

(4)

CI/CD Security Checks - Automated security checks (lint, type-check, build)

TypeScript Strict Mode - Strict type checking

E2E Security Tests - Security-focused E2E tests (XSS, sessions)

Dependency & Secret Scanning - Automated dependency vulnerability audit and secret scanning in CI

Compliance

(5)

GDPR Compliance - EU General Data Protection Regulation compliance

CCPA Compliance - California Consumer Privacy Act compliance

PIPA Compliance - Korea Personal Information Protection Act compliance

Multi-language Privacy Policies - Privacy policies in 4 languages

Data Subject Rights - Documentation of user rights (access, rectification, deletion, portability)

Learn More About Security

Review Patenty's detailed security policy or contact our security team

View Full Security Policy Contact Security Team