Log inGet started
Trust & security

How we protect your documents

Agencies, universities, and businesses send us documents that matter. Here is exactly how they are handled — written to be quoted in your security review.

Where your documents live

All processing and storage happens in United States regions: our application and remediation workers run on Google Cloud (us-west2 / us-central1) and documents are stored in US-hosted object storage. Documents never leave the US as part of processing.

Files are encrypted at rest (AES-256) and in transit (TLS 1.2+). Browsers are pinned to HTTPS via HSTS.

Who can see them

Every database row and stored file is scoped to your organization with row-level security — enforced by the database itself, not just application code. One customer can never read another's data, even in the event of an application bug.

Downloads use short-lived signed URLs (60–120 seconds) instead of public links. Our processing services accept requests only from our own job queue — they are not reachable from the internet.

Secrets (database credentials, API keys) live in Google Secret Manager, never in code or configuration files.

AI processing without training

Remediation uses Google Cloud's paid Document AI and Gemini APIs. Under Google Cloud's terms for paid services, your documents are NOT used to train models. Your files are processed to produce your accessible output, and that is all.

Your controls

Document retention: set an automatic deletion window (30 days to 1 year) in Settings — originals and outputs are permanently purged on schedule, with each purge recorded.

Activity log: a server-written, tamper-evident trail of uploads, downloads, edits, applies, and deletions — exportable as CSV for your compliance team.

Right to delete: self-service account deletion removes your documents and login entirely; only anonymized billing records are retained for accounting.

Service reliability

Infrastructure runs on Google Cloud Run with automatic scaling and health-checked deployments. New releases are staged and smoke-tested before receiving traffic, and every deploy is pinned to an immutable image digest.

Failed remediation jobs are refunded to your balance automatically.

On our roadmap

SOC 2 Type II attestation, SSO/SAML for organization sign-in, and enforced multi-factor authentication for organization members. If your procurement process needs specific documentation now, email us — we answer security questionnaires directly.

Subprocessors

The services we rely on to run AccessiblePDF. Documents themselves touch only Google Cloud and Supabase.

ProviderPurposeRegion
Google CloudApplication hosting, document processing (Document AI, Gemini), storageUnited States
SupabaseDatabase, authentication, file storageUnited States
StripePayments (we never see or store card numbers)United States
BrevoTransactional email (signup confirmations, notifications)EU/US
n8n CloudInternal operations notifications (new-signup alerts)EU

Reporting a vulnerability

Found something? Email [email protected] with “SECURITY” in the subject. We acknowledge within one business day and will not pursue good-faith researchers.