We take security seriously. Learn about our technical safeguards, data privacy practices, and compliance standards designed to protect your regulatory intelligence.
All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.3. Database and file storage use AES-256 encryption at rest.
OAuth 2.0 authentication via Google. No passwords stored in our database. All sessions use secure, httpOnly cookies with CSRF protection.
We only collect data necessary for service operation. Your reading history, saved documents, and notes are private and never shared with third parties.
Hosted on Vercel's secure cloud infrastructure with automated security patching and DDoS protection.
All regulatory documents are sourced directly from official government agency websites (FDA.gov, EMA.europa.eu, etc.). We never modify or alter source documents.
24/7 monitoring, automated alerting for security events, and documented incident response procedures to ensure rapid response to any security concerns.
General Data Protection Regulation
We follow GDPR principles: data minimization, user consent, right to deletion, and transparent data handling
Service Organization Control
Our hosting providers (Vercel, Neon) maintain SOC 2 Type II certification for their infrastructure
Health Insurance Portability and Accountability Act
RegulatoryAlerts does not process Protected Health Information (PHI)
California Consumer Privacy Act
We follow CCPA principles: data disclosure, deletion rights, and opt-out mechanisms
Email address, name, and OAuth credentials (via Google).
Purpose: Authentication, account management, and service communications.
Therapeutic areas, agencies, notification preferences, timezone.
Purpose: Personalize content delivery and filter updates to your needs.
Pages viewed, searches performed, documents saved, reading history.
Purpose: Improve service quality, identify popular content, and provide personalized recommendations.
Processed by Stripe. We never store credit card numbers.
Purpose: Subscription billing. Handled by PCI-compliant payment processor.
Data is stored on Vercel's edge infrastructure and Neon's PostgreSQL databases, both hosted in secure US data centers with SOC 2 certification at the infrastructure level.
Yes. You can delete your account at any time from Settings, which will permanently remove all your personal data within 30 days.
Yes. Enterprise customers can request a custom DPA for GDPR compliance. Contact us for details.
We have documented incident response procedures and will notify affected users within 72 hours in accordance with GDPR requirements.
For individual accounts: No. For team/enterprise accounts: Administrators can view aggregate team analytics but not individual reading history unless explicitly configured.
If you have security questions, need a security white paper, or want to report a vulnerability, please contact our security team.
Contact Security TeamFor security vulnerabilities: Please email directly instead of creating public issues