Home › Trust & Security

Trust & Security

You're uploading privileged records. Here's exactly how we treat them.

Case bundles hold medical records, PHI, and privileged litigation material — the most sensitive documents you handle. This page is the plain-English version of how CitePage protects them: never used to train AI, never sold, encrypted in transit and at rest, deletable at any time, and isolated to your account. We're also honest about what we don't yet claim.

The short version

What matters most, up front.

The detail, in plain English

How each protection actually works.

No training · No sale

We never train AI on your data, and never sell it.

Your case records are used for one thing only: producing your chronology. They are never used to train or fine-tune any AI model, never sold, and never shared or repurposed for advertising or any other business.

The AI that reads your records is Anthropic's Claude API, and Anthropic is contractually barred from training on the data we send it. Their commercial terms are explicit:

Anthropic's Commercial Terms of Service state that Anthropic "may not train models on Customer Content from Services." — Anthropic Commercial Terms of Service

In other words, no-train isn't just our promise — it's backed by our AI provider's contract with us.

Encryption

Encrypted in transit and at rest.

Everything you upload travels over TLS/HTTPS, so records are encrypted on the wire between your browser and CitePage. Once received, they're stored on encrypted infrastructure — our host, Fly.io, encrypts its storage volumes at rest.

We want to be precise rather than impressive: this is transport encryption plus encrypted-at-rest storage. We do not currently claim application-level or field-level encryption of individual record contents, and we won't describe our security as something it isn't.

Deletion & retention

You control retention — including deletion.

You can delete any case and its source files at any time from your account. When you delete a case, its uploaded records are removed from active storage.

We're also rolling out an option to auto-delete the original records as soon as the chronology is built, so that all we keep is the cited timeline you rely on — not the raw bundle. Our direction is to hold sensitive source material for as short a time as your workflow allows.

Tenant isolation

Your data is scoped to your account.

Every account's records, chronologies, and audit logs are isolated to that account. One expert's case material is never visible or accessible to another customer.

Access to production systems is limited to what's needed to run and support the service, and we design access around the principle that your privileged material stays yours.

Authorship

You author every opinion.

CitePage organizes facts and cites them to their source pages. It flags conflicts, gaps, and causation questions for your judgment — but it never writes a conclusion.

We do not practice law or medicine, and CitePage is not legal or medical advice. Every opinion, and every word that carries your name, is authored and signed by you.

Audit trail

An exportable record of the AI's work.

CitePage keeps an exportable audit trail of AI-assisted actions on your case, so that if your methodology is ever questioned in discovery, you can produce an organized record instead of scrambling.

That trail is for your defense — it is part of your case data, isolated to your account, and handled under the same no-train, no-sale, deletable terms as the rest of your records.

Who touches your data

Our subprocessors — the short, honest list.

We keep our vendor list small on purpose. These are the third parties that process data on our behalf to run the service. Each is bound to handle data only to provide their function to us.

Subprocessor What they do Data & location
Anthropic AI processing — the Claude API reads your records to build the chronology Case content sent for processing; contractually barred from training on it
Fly.io Application hosting and storage of your case data Uploaded records and chronologies, stored on encrypted volumes (United States)
Cloudflare Content delivery (CDN) and privacy-friendly, cookieless website analytics Website traffic only; aggregate, cookieless analytics — no user records
Porkbun Domain registration and DNS DNS only — no user data or case records pass through it

We'll keep this list current. If we add or change a subprocessor that processes customer content, we'll update this page.

Honest about the roadmap

What we're still building — and won't claim before it's true.

We are not going to overstate our compliance posture. A signed Business Associate Agreement (BAA) for customers who need one, and formal third-party security certifications, are in progress — not finished.

So, plainly: CitePage does not today claim to be "HIPAA compliant," and we are not "SOC 2 certified." We've built the service around the practices those frameworks care about — no training on your data, encryption, isolation, deletion, and a minimal vendor list — and we're working toward the formal agreements and audits. When they're real, we'll say so here, with specifics. Until then, we won't.

If your engagement requires a signed DPA or BAA today, reach out — we can work through what you need. See our Data Processing Addendum summary for how we handle customer content as a processor.

Talk to a human

Questions about security or your data?

We'd rather answer a hard question than have you guess. Email us and a person will reply.

Questions? security@citepage.com or hello@citepage.com.

Related: Privacy Policy · Terms of Service · Data Processing Addendum.

Try it free

See it on your next case — free.

Upload one consented case bundle. Get a page-cited chronology back, handled under exactly the terms on this page. You author every opinion.