Security

User inputs, retention, and training

Descrybe retains account and product data needed to operate the service, which may include user prompts, conversational/research history, generated outputs, metadata, and operational logs.

The only place currently to upload files is our brief review workflow, and we do not keep the uploaded files once we pull the text out for analysis. Our public privacy policy says account information is stored unless a user asks us to delete their account.

Descrybe does not use customer prompts, files, or conversational history to train Descrybe-owned models.

Descrybe uses third-party AI providers to process certain requests. Our current, primary LLM provider is OpenAI's API. As of the last updated date of this Security statement, OpenAI's API documentation states that API inputs and outputs are not used to train OpenAI models by default unless the customer opts in. We have opted out, and periodically confirm that OpenAI has not changed those settings. OpenAI says they may retain API abuse-monitoring logs for up to 30 days.

Descrybe does not currently offer a customer-facing zero-retention mode. We have a history feature that allows users to view past searches, but users can delete their historical entries at any time.

SOC / ISO

Descrybe does not currently maintain its own SOC 2 or ISO 27001 certification. We have begun work in the process of obtaining SOC 2.

We currently rely on infrastructure and service providers with their own security/compliance programs. Our providers, DigitalOcean (hosting), Clerk (user authentication management), and Stripe have SOC/security documentation.

Underlying LLM model

Descrybe currently uses OpenAI API models for AI-generated summaries and research-related outputs. The exact model may vary by feature. We may update models over time for quality, safety, performance, or reliability. We do not currently provide user-by-user notices for every model update unless the change materially affects our terms, privacy posture, or data processing commitments.

Geography and segmentation

We limit our storage of customer data, but it is stored on DigitalOcean servers, all in the New York City, New York region. Descrybe is structured around individual user accounts, not shared organization workspaces. A user's saved searches, history, and related product data are associated only with that user's own account. Access is protected through application and database access controls. We do not currently offer shared organization workspaces, matter-based workspaces, or separate file/vault permissioning. Our cloud infrastructure runs on provider-managed multi-tenant infrastructure, not physically dedicated hardware per customer.

Encryption

Data is encrypted in transit using HTTPS/TLS. For our DigitalOcean-hosted storage/database services, DigitalOcean indicates encryption in transit and encryption at rest for managed databases and Spaces object storage.

Employee, partner, and third-party access

Production customer data access is tightly restricted to authorized technical operations personnel on a need-to-know basis. Access is used only for operations, support, security, debugging, legal/compliance obligations, or customer-requested assistance. Descrybe does not sell customer data. Third-party service providers may process data as needed to deliver infrastructure, authentication, payments, analytics, support, and AI processing.

Vendor security info and documentation

OpenAI (API)
OpenAI maintains SOC 2 Type 2 compliance, covering their API and Enterprise services. Their documentation confirms that, by default, data sent to the API is not used to train their models. They also hold ISO 27001, 27017, 27018, and 27701 certifications.
Link: OpenAI API data controls
Trust Portal: OpenAI Trust Portal

DigitalOcean (Infrastructure & Trust)
DigitalOcean is SOC 2 Type II and SOC 3 Type II certified. Their Trust Platform provides downloadable audit reports. They also maintain CSA STAR Level 1 and use data centers that are ISO 27001 and PCI-DSS compliant.
Link: DigitalOcean Trust

DigitalOcean Spaces (Object Storage)
Spaces is included in DigitalOcean's SOC 2 Type 2 report. The documentation outlines the shared responsibility model, noting that data is encrypted at rest and in transit via SSL/TLS.
Link: DigitalOcean Spaces shared responsibility model

DigitalOcean Managed Databases
Managed Databases are also covered under DigitalOcean's SOC 2 report. Security features include end-to-end SSL encryption, daily backups with point-in-time recovery, and network isolation via VPC and firewalls.
Link: DigitalOcean security

Stripe (Payments)
Stripe is a PCI Level 1 Service Provider (the most stringent level) and is SOC 2 Type 2 compliant. They use AES-256 encryption for data at rest and require TLS 1.2 or higher for all communications.
Link: Stripe security

Clerk (Authentication)
Clerk is SOC 2 Type 2 and HIPAA certified. Their security framework includes regular third-party penetration tests, source code reviews based on OWASP standards, and compliance with the EU-U.S. Data Privacy Framework. They use enterprise-grade encryption and provide built-in protections against brute force and credential stuffing attacks.
Link: Clerk authentication
Security Documentation: Clerk security overview