Trust & Security
Security posture, compliance roadmap, data retention policy, and third-party subprocessors. Report version 2026-04, last updated 2026-04-22.
Compliance
SOC 2 Type I
In ProgressTarget: 2026 Q4
SOC 2 Type II
In ProgressTarget: 2027 Q3
GDPR
CompliantDPA available on request at privacy@deeptap.ai
DMCA / 512
CompliantTakedown, counter-notice, and reinstate flow is live.
Security
| Transport encryption | TLS 1.3 |
| Encryption at rest | AWS KMS |
| Prompt injection firewall layers | 3 |
| Vulnerability disclosure | security@deeptap.ai |
| Acknowledgement SLA | 24 hours |
Data Retention
| Category | Duration | Notes |
|---|---|---|
| Search queries | 90 days | Used for quality tuning; deleted on request |
| Extracted page content | 30 days | Cache layer only; not stored after TTL |
| API keys (hashed) | Until revoked | Only SHA-256 hash stored, never plaintext |
| Usage / billing records | 7 years | Required for financial compliance |
| Audit logs | 1 year | Security and compliance audit trail |
Subprocessors
Third-party services that process data on behalf of DeepTap.
| Processor | Category | Location | Purpose | DPA |
|---|---|---|---|---|
| Amazon Web Services | Cloud infrastructure | US East, EU Dublin | Compute, storage, KMS encryption | View |
| Cloudflare | CDN / DDoS protection | Global | Edge caching and DDoS mitigation for API endpoints | View |
| Stripe | Payment processing | US | Subscription billing and invoice generation | View |
| OpenRouter | LLM inference | US | LLM calls for fact extraction and research synthesis | View |
| BetterStack | Uptime monitoring | US / EU | API uptime monitoring and incident alerting | View |
| PostHog | Product analytics | US / EU | Dashboard usage analytics (no query content) | View |