trust & security

Trust & Security

Last updated: June 16, 2026

Siftfy is designed so the most sensitive thing you send us — the message content you want classified — is never stored. We classify it in memory and discard it. This page documents how we handle data, where we process it, and the controls we run.

Data handling at a glance

  • Prediction content is never stored. Text sent to /v1/predict is classified in memory and not persisted to any database, log, error report, backup, or support system.
  • Nothing sensitive in diagnostics. Logs and error responses carry metadata only — never the submitted text.
  • No training on your traffic. We do not use live request content to train or fine-tune models. Optional feedback corrections are stored only as a salted one-way fingerprint, never as readable content.
  • US processing. All customer data is processed and stored in the United States.
  • No data sales. We never sell or rent your data or share it with advertisers.

Security controls

  • Encryption in transit. All API and dashboard traffic is TLS-only.
  • Passwordless authentication. Sign-in is via magic-link email or WebAuthn passkey; we never store passwords.
  • Hashed API keys. Keys are stored hashed and shown to you only once at creation. Revoked keys are purged after 90 days.
  • Least privilege. Internal access follows the principle of least privilege and is reviewed on a recurring basis.
  • Abuse controls. Per-key and per-IP rate limiting, with tenant-attributed, deduplicated feedback to resist poisoning.
  • Backups. Point-in-time recovery on production datastores, with backups rolling off within about 30 days.

Where we process data

Customer data is processed and stored in the United States. Databases (DynamoDB), transactional email (SES), and storage run on Amazon Web Services in the us-east-1 (Northern Virginia) region; application compute runs in a US region.

Subprocessors

The third parties that process customer data on our behalf:

SubprocessorPurposeDataLocation
Amazon Web ServicesHosting, database, transactional emailAccount & request metadata, emailsUnited States
StripePayment processing & billingBilling detailsUnited States
Google AnalyticsOpt-in website analytics (marketing site only)Aggregate, pseudonymous usage metricsUnited States
FontshareWeb-font delivery (marketing site)None beyond standard request logs

None of these subprocessors receives the content you submit to /v1/predict.

Data Processing Agreement (DPA)

Siftfy acts as a data processor for the limited request metadata it stores on your behalf and as an independent controller for account and billing data; processing takes place in the United States. If your organization requires a separate Data Processing Agreement, email hi@siftfy.io and we will work with you to put appropriate terms in place, including the Standard Contractual Clauses where they are required for transfers from the EEA, the UK, or Switzerland.

Retention

A full retention schedule is in our Privacy Policy. In short: prediction content is not retained; logs roll off within 90 days; revoked keys within 90 days; magic-link tokens within 15 minutes; billing records are kept as legally required; and account data is deleted on request.

Reporting a vulnerability

Found a security issue? Email hi@siftfy.io. We acknowledge reports promptly and will work with you on a responsible disclosure timeline.

Common security & privacy questions

Is the message content I submit stored in logs, databases, backups, or support systems?

No. The text you send to /v1/predict is classified in memory and is not written to any database, log line, error report, backup, or support tool. Once Siftfy returns the score, the content is gone from our systems.

Can my request content appear in debugging, monitoring, or error logs?

No. Our application logs and our validation/error responses are built to carry only metadata — request ID, status, timing, detected language, the spam probability, and account identifiers. They do not include the submitted text. We do not run a third-party error-capture or session-replay tool that would ingest request bodies.

In which country is my data processed?

In the United States. Siftfy's databases, transactional email, and storage run on Amazon Web Services in the us-east-1 (Northern Virginia) region, and our application compute runs in a US region.

Do you offer a DPA or documentation of your security controls?

If your organization requires a Data Processing Agreement, email hi@siftfy.io and we'll work with you to put appropriate terms in place, including Standard Contractual Clauses where they're required for transfers out of the EEA, UK, or Switzerland. This Trust & Security page documents our security controls, subprocessors, data residency, and retention.

What operational data do you retain, and for how long?

We retain account email and account metadata for the life of the account; request metadata (timestamps, status, duration, language, spam probability, tenant and key identifiers) and usage counts to bill and operate; server and application logs for up to 90 days; revoked API keys for 90 days; magic-link sign-in tokens for 15 minutes; and billing records as required by tax law (typically 7 years). None of this includes the content you submit for classification.

Is message content ever used for model training, quality improvement, or analytics?

Live prediction content is never used for training, quality improvement, analytics, or anything else — it is not retained. If you opt to submit a ham/spam correction to /v1/feedback, we use that text only to compute a salted one-way fingerprint; we store the fingerprint and label to improve accuracy, never the readable content. Marketing-website analytics are first-party and opt-in and never see API content.

If I stop using Siftfy, is any of my data retained after account deletion?

On a deletion request we remove your account email, API keys, passkeys, usage records, and the feedback fingerprints attributed to your account; backups containing that data roll off within about 30 days. The only data we keep is billing and tax records we are legally required to retain.

Contact

Questions about security or data handling? Email hi@siftfy.io.