Status: DRAFT. Written for a technical/security reviewer. Should be reviewed alongside a qualified security professional before being relied upon for a formal assessment.

Security Whitepaper

Last updated: July 2026 (pre-launch draft)

1. Purpose

This document describes how ProjectIQ handles the code and information you submit for analysis, so you (or your organization's security reviewer) can evaluate whether the service meets your requirements before you upload anything.

2. Processing architecture

ProjectIQ processes your submission through a multi-pass pipeline. The key architectural property: raw source code and text are never written to persistent storage.

3. How your Claude API key is handled

4. Redaction (zip input, once live)

Once the zip upload path is enabled, a redaction pass will run against submitted code/text before it reaches the Claude API, detecting and stripping common secret patterns — API keys, connection strings, credentials in configuration files — to reduce the chance that a sensitive value is included in any model input. This path is currently disabled in the product while that pass is being built.

5. Encryption

6. What is retained

7. Sub-processors

ServicePurpose
Anthropic (Claude API)Runs the analysis pipeline, using your own supplied API key
SupabaseDatabase and storage for accounts and reports
Vercel / RenderApplication hosting
TwilioOne-time code delivery for sign-in
Payment processorNot yet selected — no live payment processing exists today

8. Access controls

Internal access to submitted content or generated reports outside of automated processing is limited to debugging a reported issue, and any such access is logged. Further specifics on authentication, role-based access, and infrastructure hardening will be added here as they are implemented.

9. Incident response

In the event of a suspected data exposure affecting your submitted content or generated reports, we will notify affected users as soon as practicable after confirming the incident. This section will be expanded into a full incident response plan as the product scales.

10. What this document does not cover

This is not a substitute for a formal security audit, penetration test, or compliance certification (e.g., SOC 2). ProjectIQ does not currently hold third-party security certifications. If your organization requires one before adopting the tool, please contact us to discuss.

11. Contact

Security questions or vulnerability reports: surya.builds.web@gmail.com
This document reflects the architecture described in ProjectIQ's internal product requirements as of this draft. It should be kept current as the actual implementation evolves, and reviewed by a security professional before being relied upon by enterprise customers.