Security & Compliance
How we protect your data and maintain the highest security standards
🔒Data Protection Architecture
Your security is our top priority. We've built multiple layers of protection around your data:
In-Memory Processing
Submitted text is processed entirely in memory and never written to disk. After your scan completes, the text is immediately discarded from processing systems and removed from our database within 24 hours. Only your scan results (score, detected sources, highlights) are retained briefly for your reference.
Encryption in Transit
All communication between your device and our servers is encrypted using TLS 1.3 (or higher). SSL certificates are issued and renewed automatically by our hosting provider.
API Key Protection
Your API keys are hashed using SHA-256 before storage in our database. We store only the hash, never the plaintext key. Keys are prefixed with "pe_" to help you identify them in code, but the full key is never displayed after creation — save it immediately when issued.
Row-Level Security (RLS)
Our database uses Row-Level Security (RLS) policies. Users can only access their own scans, API keys, and account data. Database policies enforce access control at the table level.
Cache Expiration (TTL)
Cached data is automatically expired and purged. Search results are retained briefly for performance, while user text is never persisted.
🛡️What We Protect Against
Unauthorized Access
Session-based authentication for web users, API key authentication for programmatic access, rate limiting (per-plan), and IP-based abuse detection.
Data Interception
TLS 1.3 encryption for all HTTP traffic, HTTPS-only enforcement (no plaintext HTTP), secure cookies (HttpOnly, Secure, SameSite).
Data Exfiltration
Text is never persisted to disk, only processed in memory. Scan results are deleted after 30 days. No backups contain user text. Access logs are audit-logged with user and IP information.
Injection Attacks
All user inputs are validated using Zod schemas, sanitized before database queries, and escaped before HTML rendering. No raw SQL execution.
Rate Limiting Abuse
Per-plan rate limits prevent abuse. Requests exceeding limits are rejected.
Denial of Service
Character limits per plan prevent resource exhaustion (Free: 50K, paid up to 75K characters). Request timeouts prevent hanging connections. Infrastructure auto-scales to handle traffic spikes.
✅Compliance Standards
GDPR (General Data Protection Regulation)
We comply with GDPR requirements including:
- Data Processing Agreement (DPA) available upon request
- User rights to access, export, and delete personal data
- Privacy by design and default
- Legitimate basis for data processing (user consent, service delivery)
- Data retention limits (scan results: 30 days max)
- Breach notification within 72 hours
CCPA (California Consumer Privacy Act)
We comply with CCPA requirements including:
- Clear disclosure of data collection practices
- User right to know what data is collected
- User right to delete personal data
- User right to opt-out of data sales (we don't sell data)
- Non-discrimination for exercising CCPA rights
SOC 2 Type II
Our infrastructure providers maintain SOC 2 Type II compliance. Audit reports are available to enterprise customers upon signing an NDA.
FERPA (Family Educational Rights and Privacy Act)
For educational institutions using our Service, we can sign FERPA-compliant Data Processing Agreements. Educational records are protected with the same encryption and access controls as all other data.
COPPA (Children's Online Privacy Protection Act)
Our Service is not intentionally directed to children under 13. We comply with COPPA by not knowingly collecting personal information from children without parental consent. See our Privacy Policy for details.
🔍Responsible Disclosure & Bug Bounty
We take security vulnerabilities seriously. If you discover a security issue, please report it to us immediately using our responsible disclosure program:
Email: security@plagiarismchecker.so
Please include a detailed description of the vulnerability, affected components, and proof-of-concept if possible.
Our Commitment:
- We will acknowledge receipt of your report within 24 hours
- We will investigate and confirm the vulnerability within 48 hours
- We will provide a timeline for remediation and keep you updated
- We will not pursue legal action against researchers who follow responsible disclosure
- We welcome attribution in our security advisory
Note: Please do not disclose vulnerabilities publicly or to others until we've had time to investigate and release a fix. Coordinated disclosure helps protect all our users.
🔗Third-Party Security
We rely on industry-leading security providers for key infrastructure:
Hosting & CDN
Enterprise-grade deployment platform. DDoS protection, automatic HTTPS, isolated serverless functions, SOC 2 Type II compliant.
Database & Auth
PostgreSQL database with Row-Level Security, OAuth2-based authentication, automated backups, SOC 2 Type II compliance.
Rate Limiting & Caching
Serverless infrastructure for rate limiting and caching. End-to-end encryption, automatic expiration (TTL), SOC 2 Type II compliance.
Search API
Web search API for plagiarism detection. No personal data is sent — only short extracted phrases from the text being scanned.
🔄Security Practices
Regular Security Updates
We deploy security patches within 24 hours of identification. Critical vulnerabilities are deployed immediately.
Dependency Management
We regularly audit and update dependencies. Automated tools scan for known vulnerabilities in npm packages.
Audit Logging
Every API call is logged with user, IP, timestamp, and response code. Logs are retained for 90 days.
Access Control
Limited access to production databases, encrypted credentials, API keys with rotation policies.
Incident Response
We have a documented incident response plan. Security breaches are communicated to affected users within 72 hours as required by law.
Questions About Security?
If you have questions about our security practices, compliance, or need to provide security feedback:
Security Issues
General Inquiries
Legal/Compliance