Security

condense.chat is a context-compression proxy for LLM workloads. Conversations, prompts and compressed context flow through our infrastructure, so security and privacy are not features; they are the product. This page documents the controls we operate today: how engineers reach internal systems, how data is encrypted and retained, how we detect and respond to incidents, and where we stand on SOC 2, GDPR and other compliance regimes.

GDPR compliantSOC 2 Type II in progressEU data residencySSO + 2FA7-day content deletionNo training on your data

Authentication & access

Customers authenticate through Clerk with email + password, magic links, passkeys or OAuth. Every internal system (deployment, observability, secret stores) sits behind Google Workspace SSO with 2FA enforced at the identity provider, and an audited allowlist of staff accounts.

Encryption in transit & at rest

Infrastructure & isolation

Audit logging

Every privileged action on our admin and billing surfaces is written to an append-only audit trail. Identifiers are pseudonymised with keyed hashing (HMAC-SHA256) and IP addresses are truncated before storage, and the trail is protected at the database level so records cannot be altered or deleted.

Monitoring & incident response

Automated alerts fire within 1 to 5 minutes for authentication anomalies, rate-limit spikes, error-rate regressions and any gap in the audit trail. Alerts page on-call directly, and the dashboards our team watches are the same ones we draw evidence from during reviews.

Severity Definition Acknowledge Customer comms
SEV-1 · Critical Confirmed breach or service-wide outage < 15 minutes < 24 hours, status page + email
SEV-2 · High Customer-impacting degradation < 1 hour business / 4 hours off-hours < 48 hours if customer-visible
SEV-3 · Medium Internal regression, no customer impact Next business day Postmortem at next review

Supply chain & vulnerability management

Every code change runs an automated security workflow covering secret, static-analysis and dependency scans across our whole codebase.

Your data & privacy

What we can and can't see

condense.chat is a proxy, so your prompts and context pass through our service in order to be compressed. We are deliberate about what that means for your data, and we would rather state it plainly than leave it implied.

Compliance

Framework Status Notes
GDPR Compliant All data stored and processed in the EU; signed DPA on request.
SOC 2 Type II In progress Controls are operating and being formalised; we are engaging an auditor and working toward our observation window. Progress and target timeline available under NDA.
PCI DSS Out of scope Payments handled by Stripe Checkout; no card data touches our systems.
Vendor questionnaires Available CAIQ & SIG-Lite responses on request; email team@condense.chat.

Subprocessors

Vendor Purpose Region
Amazon Web Services (EMEA) S.à r.l. Cloud infrastructure and hosting EU (Ireland / Frankfurt)
Google Cloud EMEA Limited Cloud infrastructure and hosting EU
Clerk, Inc. User authentication and account management EU
Stripe Payments Europe, Ltd. (once integrated) Payment processing for paid plans EU (Ireland)
Hostinger UAB Transactional email delivery (account and approval notifications) EU (Lithuania)
Google Cloud EMEA Limited (Gemini API) AI-assisted analysis of operational logs and alerts for incident response EU
PostHog, Inc. Consent-gated product and website analytics (PostHog Cloud EU) EU (Frankfurt); SCCs in place

All sub-processors are bound by written contracts that impose data-protection obligations no less protective than those in our Data Processing Addendum. Each is subject to appropriate transfer safeguards (EU Standard Contractual Clauses, UK Addendum, and Swiss modifications where applicable).

Note on upstream LLM providers. condense.chat operates as a proxy. The upstream model provider you route to (OpenAI, Anthropic, Mistral and so on) is your own contractual relationship and is not a condense subprocessor; we do not control their region, retention or training defaults. The full and authoritative subprocessor list is published under /legal/ → Subprocessors.

Reporting a vulnerability

Security disclosures.

Found something? Email team@condense.chat. We acknowledge reports within 3 business days, give an initial assessment within 10 business days, and offer safe harbor for good-faith research.