How We Handle Your Data
No marketing claims. No false certifications. Here's exactly what happens to your documents — and what you can control.
Data Lifecycle
Upload
Document sent via HTTPS (TLS 1.3) to our backend
Process
Text extracted and sent to LLM API for analysis
Store
Results stored in encrypted PostgreSQL database
Expire / Delete
Auto-purged per retention policy, or manual deletion
Encryption Posture
LLM Data Handling
Your document text is sent to third-party LLM providers (Google Gemini, OpenAI) for analysis via their API.
- Providers do not train on API data per enterprise terms of service
- Data is not stored by providers beyond processing window (typically 30 days for abuse monitoring)
- Enterprise API agreements with both Google and OpenAI
Retention Policy
Default: indefinite (data kept until you delete it). You can configure automatic purging at 30, 90, or 365 days. When data is purged: review results are nullified, uploaded files are deleted, metadata tombstone is kept for audit trail.
Your Rights (GDPR)
Data Portability
Download all your data as a ZIP file: profile, reviews, credit transactions, audit log.
Log in to manage →Right to Erasure
Permanently delete all your data: reviews are purged, knowledge base removed, account anonymized.
Log in to manage →Compliance Posture
PAK4L Controls
- JWT authentication with refresh tokens
- bcrypt password hashing (cost 12)
- Atomic credit deduction (no race conditions)
- Tier-based access control (RBAC)
- Append-only audit log (tamper-evident)
- Configurable retention policies
- GDPR data export & erasure endpoints
- Rate limiting on auth endpoints
Inherited from Providers
- SOC 2 Type II — Railway, Google Cloud, OpenAI, Vercel
- ISO 27001 — Google Cloud
- GDPR — Railway (EU), Google Cloud, OpenAI
- PCI DSS Level 1 — Stripe (payments only)
- AES-256 Disk Encryption — Railway managed PostgreSQL
Deployment Modes
SaaS
Multi-tenant. EU-hosted database. Global CDN. Managed by PAK4L.
Dedicated
Single-tenant. Your choice of cloud region. Full data isolation.
On-Premise
Self-hosted in your infrastructure. Air-gapped capable. Full control.
Data Residency
| Component | Provider | Region |
|---|---|---|
| Database (PostgreSQL) | Railway | EU (Frankfurt) |
| Frontend CDN | Vercel | Global (Edge) |
| LLM API Calls | Google / OpenAI | US |
| Payments | Stripe | US / EU |
AI Agent Reliability Benchmark
We continuously evaluate our multi-agent system against an annotated corpus of 150+ documents across legal, compliance, financial, and technical domains. All metrics are self-reported with full methodology disclosure.
69.2%
Issue Detection Rate
vs. annotated ground truth
32.1%
Cross-Agent Agreement
severity consensus ≥2 agents
78.3%
Severity Accuracy
±1 level tolerance
55.6%
Consistency Score
same doc → same results
8.5x
Thoroughness Multiplier
issues found vs. baseline
Methodology
Test Dataset
- 153 documents, 2,847 pages total
- Contracts, compliance reports, financial analyses, technical specs
- 1,204 expert-annotated issues across all severity levels
- 4 languages: Italian, English, Spanish, German
Evaluation Process
- Double-blind: annotators and agents see documents independently
- Each document reviewed 3x to measure consistency
- Cross-agent debate validated against expert consensus
- Benchmark re-run monthly after each model or agent update
Transparency Note
These metrics are self-reported from our internal benchmark suite. We are actively pursuing independent third-party audit and SOC 2 Type II certification. Benchmark results may vary based on document complexity, language, and domain. PAK4L is an AI-assisted tool — final decisions should always involve human review.
Agent Debate Transparency
Every PAK4L review includes a full Boardroom transcript showing how agents reach their conclusions. This means you can always verify:
Which agent flagged each issue
Full attribution with agent role and expertise area
Why they disagree
Cross-agent disputes and severity debates are logged
How consensus was reached
Coordinator synthesis with evidence-based reasoning
Questions about security?
Contact our team for detailed security documentation, custom deployment options, or compliance questionnaire support.