Trust & Security at Filtrate
The compliance layer marketplaces use — built to be auditable from day one. This page documents how we handle data, who our sub-processors are, and what we do to keep your pipeline secure.
Data Handling
Filtrate is designed to minimize data exposure at every step. The architecture is intentionally simple: image bytes arrive, get processed in-memory, and the processed result goes to storage. The original never does.
Image Lifecycle
.webp({ quality }) — no .withMetadata() call, so all EXIF, IPTC, XMP, and GPS tags are stripped before any downstream step.verdict_cache. No image bytes are stored alongside it.Retention
Sub-Processors
We use a small, stable set of third-party processors. All are SOC 2 certified or equivalent. If a new processor is added, we will update this page and notify enterprise customers.
| Processor | Purpose | Data Shared | Region | DPA / Security Docs |
|---|---|---|---|---|
| Render | Application hosting — runs the Express API server | All inbound API traffic; no data stored by Render beyond logs | us-east-1 (AWS) | render.com/dpa |
| Neon | PostgreSQL database — stores usage logs, API keys (hashed), invoices, and verdict cache | API key hashes, usage metadata, billing records. No image bytes. | us-east-1 (AWS) | neon.tech/privacy |
| Cloudflare R2 | Object storage — stores processed (EXIF-stripped) WebP output images | Processed WebP bytes only. Original input never reaches R2. | Global (Cloudflare network) | cloudflare.com/trust-hub |
| OpenAI | AI content moderation — GPT-4o-mini vision evaluates the processed WebP for compliance flags | Processed WebP bytes (post-EXIF-strip). No original input, no PII from your users. | US (OpenAI API) | openai.com/policies |
| Stripe | Payment processing — Stripe-hosted Checkout for invoice payment; Billing Portal for self-serve management | Customer billing contact (email), payment method. No image data. | US (Stripe servers) | stripe.com/privacy |
| Postmark | Transactional email — invoices, API key notifications, billing receipts | Recipient email address, email body content (invoice data). No image data. | US (Postmark servers) | postmarkapp.com/privacy-policy |
Compliance Posture
Filtrate operates as a data processor — we process images on behalf of marketplace operators (the controllers). Our DPA is available on request.
Security Practices
How we protect the API, your keys, and the data in transit and at rest.
Vulnerability Disclosure
We follow a coordinated disclosure model. If you find a security issue, we want to hear from you — and we'll work with you to fix it before public disclosure.
Responsible Disclosure Policy
Report security vulnerabilities to security@filtrate.polsia.app. Please include a description of the issue, steps to reproduce, and your assessment of severity.
Our commitments:
• We will acknowledge your report within 2 business days.
• We will provide a status update within 7 days confirming whether the issue is valid and our intended timeline.
• We operate a 90-day coordinated disclosure window — we ask that you do not publicly disclose the issue during this period while we work on a fix.
• We will credit researchers in our release notes (or maintain anonymity at your request).
We ask that you do not exploit or exfiltrate data, perform denial-of-service attacks, or access accounts that are not your own while researching potential issues.
Need a DPA, security questionnaire, or pen-test summary?
Email us directly at security@filtrate.polsia.app, or use this form and we'll respond within 1 business day.
Evaluating providers head-to-head? See our public latency, accuracy, and cost benchmarks →