How we protect your data

At Conteqx, data protection is built into the foundation of our architecture. We employ multiple layers of security to ensure your data remains private, secure, and under your control.

Encryption Standards

We employ industry-leading encryption standards across our entire platform:

Data in Transit

All communications use TLS 1.3, the latest and most secure transport layer protocol.

Data at Rest

All stored data is encrypted using AES-256, the same standard used by financial institutions and governments.

API Keys

Encrypted using AES-256-GCM with unique initialization vectors. We use a zero-knowledge architecture - we never have access to your plaintext API keys.

Database

Our database uses transparent data encryption (TDE) with automatic key rotation.

Local-First Architecture

Conteqx is built with a local-first philosophy. By default, your data stays on your device:

Conversation history stored locally in your browser
No server-side logging of chat content
Optional cloud sync with end-to-end encryption
Export your data at any time in standard formats
Delete local data instantly through the settings

Access Control

We implement strict access controls to minimize exposure of your data:

Principle of least privilege for all team members
Multi-factor authentication required for all internal systems
Role-based access control (RBAC) for administrative functions
Automated access reviews and audit logging
Segregation of duties for critical operations

Infrastructure Security

Our infrastructure is designed for security and resilience:

Hosted on SOC 2 compliant cloud providers
Automated security patching and updates
DDoS protection and Web Application Firewall (WAF)
Regular penetration testing by third-party security firms
Continuous vulnerability scanning with automated alerting
Network segmentation to isolate sensitive components
Automated backups with encryption

Data Retention & Deletion

We follow strict data retention and deletion policies:

Account Data

Retained for the duration of your active account. Deleted within 30 days of account closure.

Conversation Data

Stored locally on your device by default. Cloud data deleted immediately upon request.

Payment Data

Handled by Stripe. We do not store credit card numbers or financial details.

Analytics Data

Anonymized analytics retained for up to 12 months for service improvement.

Server Logs

Access logs retained for 90 days for security monitoring, then automatically purged.

Compliance & Certifications

We maintain compliance with major data protection regulations:

GDPR

Full compliance with EU General Data Protection Regulation

CCPA

California Consumer Privacy Act compliance

SOC 2 Type II

Audit in progress

ISO 27001

Information security management (planned)

Questions about data protection?

Our Data Protection Officer is available to answer any questions about how we handle your data.

Contact DPO Read Privacy Policy