Your data stays your data.
We don't use customer datasets to train shared models. Each workspace is isolated, and production deployments use encrypted transport and access controls by default.
/demo route uses sessionStorage only — annotations are cleared when you close the tab and are never visible to the next visitor on a shared device. Demo images never leave your browser. In a verified workspace, uploaded image bytes go directly from your browser to your object storage bucket via a signed PUT URL; our application servers never see the bytes, only the metadata (filename, dimensions, checksum).Security built into the product, not bolted on.
Encrypted in transit
TLS 1.3 everywhere. HSTS headers. Strict no-mixed-content. Security headers enforced on every response.
Tenant isolation
Every query is scoped to your organization. No cross-tenant data exposure. Enterprise tenants can request dedicated storage isolation.
RBAC built in
Ten org roles with typed, non-hardcoded permissions. Annotator, Reviewer, ML Engineer, and Owner roles out of the box. SSO on enterprise plans.
No shared training by default
Customer datasets are not used to train shared models. Contribution mode is opt-in and contract-bound.
Signed URLs for files
Production uploads go directly from the browser to S3-compatible object storage via short-lived signed PUT URLs (default 900-second TTL). Our application servers never receive the bytes.
Audit logs
Every sensitive change — signup policy, financial policy, offer / promo / credit transitions, gift-card issue, access-request decisions — writes an immutable audit row with actor, reason, before/after, and a request ID. Cross-cutting timeline at /admin/audit.
Compute isolation
GPU and training workers are external and never co-located with the control plane. The web server does not execute model code or GPU kernels.
Need a security questionnaire?
For enterprise pilots, security reviews, on-prem deployments, or compliance requirements, note “enterprise” in your request and our team will route it appropriately.