GAAP IQ handles draft agreements, unreleased filings, and pre-decision accounting positions. Everything below is enforced in code or infrastructure — not just policy — and we only publish a claim after the behavior behind it ships.
Your content is isolated to your account and never appears on any internal surface.
Encrypted at rest and in transit, including backups.
Your content is never used to train AI models, and the AI providers we route to don't keep it.
Documents you upload are processed for your session and automatically deleted 24 hours later.
A deliberately short list, each provider only for its function:
| Provider | Role | Data posture |
|---|---|---|
| AI model providers | AI model inference (research, memos, drafts) | Zero-data-retention routing enforced in code on every request; no training on content. Provider list available on request. |
| Render | Hosting and database (United States) | AES-256 at rest, TLS in transit |
| Stripe | Payments | We never see or store card numbers |
| Sign-in (only if you choose it) | Name, email, profile photo only | |
| Resend | Transactional email (password resets) | Email address only — never content |
To answer your questions, our systems necessarily read your content at runtime — retrieval searches it and the AI models process it to generate output. So we don't claim your content is invisible to processing; we claim, and enforce, that it isn't retained by AI providers, isn't used for training, isn't shown on any surface we operate, and — for uploads — is deleted within 24 hours. Deleted data can persist briefly in encrypted backups until they expire on their cycle.
Our controls are designed against SOC 2 criteria; a formal independent audit is on our roadmap. Security questions or disclosure requests: support@gaapiq.ai.