You handle confidential study documents — protocols with proprietary drug information, monitoring plans with site-level details, investigator's brochures with unpublished safety data. Some of these are covered by confidentiality agreements with your clients. We understand what's at stake.
That's why we're not going to give you vague reassurances. Instead, we're going to show you exactly what happens to your documents at every stage — from upload to output delivery to deletion. You evaluate data integrity controls professionally. We're going to give you the same level of detail you'd expect in an audit.
We believe transparency is better than assurance. Here is the complete data flow for every document you upload.
Every document uploaded to GxP Prep AI follows this exact path. There are no background processes, no hidden data flows, and no exceptions.
When you select a file and click upload, the document is transmitted from your browser to our application server via HTTPS (TLS 1.2+). This is the same encryption standard used by banks and healthcare platforms.
The serverless function extracts the text content from your document. This extraction happens entirely in server memory. The original file and extracted text are held in memory only — they are never written to disk or to any database.
The extracted text is sent to Anthropic's Claude API for analysis and audit package generation. This means your document's text content does leave our server and is transmitted to Anthropic's infrastructure for processing. We use this section to be fully transparent about this step.
The AI-generated audit content is checked against our Regulatory Knowledge Graph. During this step, the AI output (not your original document) is compared against our database of verified regulatory text.
The validated content is formatted into a structured Word document with epistemic tags, regulatory citations, and a validation summary. This document is generated in server memory and streamed to your browser as a download.
After your audit package is delivered, the serverless function completes and its memory is released. Your uploaded document, the extracted text, the AI-generated content, and the formatted output all cease to exist on our infrastructure.
If you delete your account, the only data that existed — your email, subscription status, and usage count — is removed. There are no document traces to delete because none were ever created.
We believe you have a right to know every external service that touches your data and what their commitments are. Here is the complete list:
| Service | What It Does | What Data It Sees | Their Data Commitment |
|---|---|---|---|
| Anthropic (Claude API) | Generates audit content from your document text | The extracted text from your uploaded document, during processing only | API inputs are not used for model training. Inputs are not retained beyond processing duration. |
| Vercel | Hosts the web application and serverless functions | Encrypted web traffic. Document data exists in serverless function memory during processing only. | SOC 2 Type 2 certified. Data encrypted in transit (TLS 1.2+). Serverless function memory is released after execution. |
| Supabase | Stores user accounts, subscription data, and the Regulatory Knowledge Graph | Your email, subscription tier, and usage count. Does NOT see your uploaded documents. | SOC 2 Type 2 certified. Row Level Security enforced. Data encrypted at rest and in transit. Americas region hosting. |
| Stripe | Processes subscription payments | Your payment information (card number, billing address). We never see or store your full card number. | PCI DSS Level 1 certified (highest level). Payment data fully managed by Stripe. |
We respect you too much to bury important nuances in fine print. Here is an honest accounting of our security posture:
We would rather tell you exactly where we are today than make claims we can't back up. This page will be updated as our security posture evolves.
We know that some of you will need to explain your use of this platform to sponsors or clients who are sensitive about document confidentiality. Here is a summary you can share or adapt:
We are actively working to strengthen our security posture. Here is what's planned:
| Timeline | Initiative | Status |
|---|---|---|
| Before beta launch | Privacy policy published (GDPR/CCPA compliant) | In progress |
| Before beta launch | Terms of Service reviewed by attorney with AI liability specialization | In progress |
| Before beta launch | Anthropic API data handling terms reviewed and documented | In progress |
| Near-term | Errors & Omissions (E&O) insurance obtained | Planned |
| Near-term | Evaluate Anthropic zero-data-retention API options if available | Planned |
| Near-term | Client-side document parsing to minimize text sent to API | Under evaluation |
| Medium-term | Independent security audit / penetration test | Planned |
| Medium-term | SOC 2 Type 2 readiness assessment | Planned |
| Medium-term | Data Processing Agreement (DPA) for enterprise/EU customers | Planned |
This roadmap will be updated as items are completed. We will notify all users when significant security milestones are reached.
No. Your documents exist only in server memory during processing. Once your audit package is delivered and the serverless function completes, the memory is released. There is no database record, no file system copy, and no backup. We cannot retrieve your documents because they no longer exist anywhere.
Anthropic's API Terms of Service state that they do not use API inputs to train their models and do not retain inputs beyond the duration needed for processing. We encourage you to review Anthropic's API terms directly for the most current commitments.
Yes. All data in transit between your browser and our servers, and between our servers and third-party APIs, is encrypted via TLS 1.2 or higher. Your account data stored in Supabase is encrypted at rest. Payment data is managed entirely by Stripe, which is PCI DSS Level 1 certified.
Because we do not store your documents, a breach of our infrastructure would not expose your study documents. An attacker accessing our database would find only email addresses, subscription tiers, and usage counts. They would not find any study documents, audit packages, or document-related data because none is stored.
You should review your specific confidentiality agreement. The key fact for your assessment: your document's text content is transmitted to Anthropic's API for processing (encrypted in transit, not retained per Anthropic's terms). If your agreement restricts sharing document content with third-party processors, you should consult with your client before using the platform. We are transparent about this rather than claiming it does not apply.
GxP Prep AI as an entity does not currently hold SOC 2 certification. Our infrastructure providers — Vercel (hosting) and Supabase (database and authentication) — are both SOC 2 Type 2 certified. SOC 2 readiness is on our security roadmap. We will update this page when we achieve it.
Yes. Any material changes to how we handle your data will be communicated to all users via email before the changes take effect. This page will always reflect our current practices.