Security at Classer

Your data privacy and security are foundational to how we build and operate Classer. We treat every API request as if it contains your most sensitive data.

SOC 2Type II

Aligned

GDPREU

Compliant

CCPACalifornia

Compliant

CASATier 3

Aligned

Zero data retention

No data stored by default — you choose what to keep

No human review

Your API payloads are never read by employees

Your model, your data

Opt-in features only improve your model, never shared

Data Privacy

Zero data retention by default

We don't store your API Inputs or Outputs unless you opt in. By default, data is processed and immediately discarded after the response is returned.

Opt-in self-calibration

If you enable self-calibration, your data is used to improve only your model — never shared with other customers, never used to train our general models.

Configurable auto-delete

When you opt in to logging, you control the retention period. Set your own auto-delete window — your data is permanently deleted on your schedule.

You own your data

You retain full intellectual property rights over your Inputs. We assign all rights in the Outputs back to you. See our Terms of Service for details.

No human review

BrainByte employees do not read or review your API payloads, except when automated systems flag a request for abuse policy violations, or when you explicitly request support.

Full IP ownership

Your Inputs and Outputs are yours. We claim no rights over your data or the classification results we generate for you.

Infrastructure Security

EU data residency

All data is processed and stored in the European Union (AWS eu-west-1, Ireland). No customer data leaves the EU during processing.

Encryption everywhere

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Database connections are encrypted and access-controlled.

Network isolation

All services run in isolated VPCs with no public database access. Internal services communicate over private subnets with strict security groups.

Managed infrastructure

We use managed AWS services (RDS, ECS Fargate, S3) with automated patching, multi-AZ redundancy, and automated daily backups.

API Security

API key authentication

Every request is authenticated with a unique API key. Keys are hashed before storage and never logged in plaintext.

Rate limiting

Per-key rate limiting at both request and token level protects against abuse and ensures fair usage across all customers.

Instant key revocation

API keys can be revoked instantly from the dashboard. Revoked keys are rejected within seconds across all endpoints.

Spending controls

Set monthly budget limits per API key. When a key hits its limit, requests are automatically blocked — no surprise bills.

Usage notifications

Get email alerts when you reach spending thresholds. Monitor usage in real time from your dashboard.

Audit trail

All API requests are logged with timestamps, endpoints, and response codes. Usage logs are accessible from your dashboard.

Application Security

Authentication

Dashboard access is secured via OAuth 2.0 (Google). No passwords are stored by Classer. Session tokens are short-lived and rotated automatically.

Secrets management

All credentials and secrets are stored in encrypted environment variables managed through AWS. No plaintext secrets in code or configuration.

Dependency monitoring

All dependencies are continuously monitored for known vulnerabilities. Security patches are applied promptly.

PCI-compliant payments

All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. We never store, process, or transmit card numbers.

Reliability & Incident Response

99.9%

Uptime SLA

< 1h

Incident Response

< 5 min

Anomaly Detection

Multi-AZ infrastructure with automated failover. Zero single points of failure.

Security incidents acknowledged within 1 hour. Critical issues escalated immediately. Post-incident reports shared.

Issues detected and flagged before they reach your workloads. Automated alerts on latency spikes, error rates, and abnormal request patterns.

Compliance

Framework	Details	Status
GDPREU data residency. DPA available.	Fully compliant. EU data residency. DPA available on request.	Compliant
CCPANo data selling. Deletion honored.	We do not sell personal information. Data deletion requests honored.	Compliant
SOC 2 Type IIAudit in progress.	Audit in progress. Controls already implemented.	Aligned
CASA Tier 3Security assessment aligned.	Cloud Application Security Assessment aligned.	Aligned
DPAAvailable for enterprise.	Data Processing Agreement available for enterprise customers.	Available

Subprocessors

We use a limited set of trusted third-party providers, all bound by strict confidentiality and data processing agreements.

Provider	Purpose	Location
AWS	Infrastructure, compute, storage, DB	EU
Stripe	Payment processing	US

Enterprise Security

Need additional security controls? Enterprise plans include:

Custom data retention policies
Signed Data Processing Agreement
SSO / SAML integration (coming soon)
Dedicated support SLA
Custom rate limits
Security questionnaire completion

Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a security vulnerability in Classer, please report it to security@classer.ai. We commit to acknowledging all reports within 48 hours and will work with you to understand and resolve the issue promptly.