Security

How we protect your data, who processes it, and how we announce new sub-processors.

Security posture

In transit + at rest

All traffic over TLS 1.2+. Neon Postgres encrypts at the disk level. Backups live under Neon control, same region, encrypted.

Authentication

NextAuth credentials flow. Passwords are one-way hashed (bcrypt). Sessions live in HTTP-only + Secure cookies.

Data isolation

Every API endpoint verifies project ownership. Multi-tenant access is enforced at the row level.

AI gateway + ZDR

Anthropic calls run with Zero Data Retention (`zdrOptions`). Your content never reaches training pipelines or provider-side persistence.

Monitoring + disclosure

Errors via Sentry. Report security issues to security@litelekt.ai; response target 48 hours.

Sub-processors

Service	Role	Data processed	Region	Transfer mechanism
Vercel Inc.	Hosting, Functions, Analytics	All product data in transit and at rest	US	SCCs + adequacy
Neon Inc.	Postgres database	Account, project, protocol data	US	SCCs + adequacy
Anthropic PBC	AI model inference (Claude) via gateway	User research questions and slot content during AI call; ZDR enabled	US	SCCs + ZDR guarantee
Resend Inc.	Transactional email	Email address and transactional email content	US	SCCs
Stripe, Inc. / Stripe Payments Europe	Payments	Name, email, billing address, last-4 card digits	US / IE	SCCs + adequacy (EU→US)
Sentry	Error monitoring (if deployed)	Error stack traces, session id, user id (not PII content)	US	SCCs

We update this list and notify registered users 30 days before adding a new sub-processor.

Responsible disclosure

If you think you have found a vulnerability, please report to security@litelekt.ai. We prefer coordinated disclosure: we reply within 48 hours and ask that you hold public details until a fix is live.

security@litelekt.ai Privacy Legal hub