Security at CiteDash

Academic research is sensitive work. We treat your data with the care that scholarship deserves.

How we protect your data

Encryption in transit: All connections to citedash.ai use HTTPS with HSTS preloading.
Encryption at rest: Research content, references, and account data are encrypted using AES-256 in our hosting providers' managed key infrastructure.
Authentication: We use Supabase for identity, with OAuth (Google, Apple) and session tokens that expire and refresh server-side.
Database isolation: PostgreSQL row-level security policies enforce that one user can never read another user's research, references, or notes.
No training on your data: We do not use your research queries, generated reports, or uploaded documents to train any AI model. Your work is yours.

Vendor sub-processors

We rely on a small set of carefully selected vendors. The current list includes Supabase (auth + database), Render (application hosting), Cloudflare (DNS + CDN), Stripe (payments), Sentry (error monitoring), PostHog (product analytics, with your explicit consent), and the underlying LLM and academic-search providers used to fulfill your research requests. The full sub-processor list is published with our privacy policy.

Responsible disclosure

If you find a security issue, please report it before disclosing publicly. We aim to acknowledge within 48 hours and ship a fix or mitigation as quickly as the issue's severity warrants.

Email: security@citedash.ai
Machine-readable: /.well-known/security.txt (RFC 9116)

What we ask

Give us reasonable time to investigate and fix before public disclosure.
Do not access, modify, or destroy data that doesn’t belong to you. Stop testing if you encounter another user’s data.
Don’t run automated scans that degrade service quality for other users.
Don’t use social engineering against employees or contractors.

We do not currently run a paid bug-bounty program but we recognise contributors publicly (with their permission) on a Hall of Fame page once we have enough reports to publish one.

Compliance roadmap

SOC 2 Type I is on our 2026 roadmap. We’ll publish a progress update here when audit fieldwork begins. For institutional buyers requesting a Vendor Security Assessment, please reach out to security@citedash.ai and we’ll send our latest security questionnaire response.

How we protect your data

Encryption in transit: All connections to citedash.ai use HTTPS with HSTS preloading.

Encryption at rest: Research content, references, and account data are encrypted using AES-256 in our hosting providers' managed key infrastructure.

Authentication: We use Supabase for identity, with OAuth (Google, Apple) and session tokens that expire and refresh server-side.

Database isolation: PostgreSQL row-level security policies enforce that one user can never read another user's research, references, or notes.

No training on your data: We do not use your research queries, generated reports, or uploaded documents to train any AI model. Your work is yours.

Vendor sub-processors

What we ask

Give us reasonable time to investigate and fix before public disclosure.

Do not access, modify, or destroy data that doesn’t belong to you. Stop testing if you encounter another user’s data.

Don’t run automated scans that degrade service quality for other users.

Don’t use social engineering against employees or contractors.

We do not currently run a paid bug-bounty program but we recognise contributors publicly (with their permission) on a Hall of Fame page once we have enough reports to publish one.