Where is my data stored and processed?
Where is my data stored and processed?
All data processing occurs exclusively within the EU, ensuring compliance with EU data residency requirements and GDPR. We can accommodate specific regional requirements for global clients.
Do you offer Zero Data Retention (ZDR)?
Do you offer Zero Data Retention (ZDR)?
Yes. When enabled, Zero Data Retention ensures that no search queries or results are stored.
Can you sign a Data Processing Agreement (DPA)?
Can you sign a Data Processing Agreement (DPA)?
Yes. We act as a Data Processor under GDPR and are prepared to execute DPAs that align with GDPR Article 28 requirements. Our DPA template is available upon request and clearly defines data handling responsibilities.
What certifications do you hold?
What certifications do you hold?
We are SOC 2 Type II certified. Our SOC 2 report is available upon request. We also undergo quarterly vulnerability scanning and annual penetration testing by independent third parties.
How quickly will you notify us of a security incident?
How quickly will you notify us of a security incident?
We commit to notifying affected clients within 72 hours of confirming a security incident that impacts client data, with 24‑hour capability for critical incidents. Our Security Incident Management Policy defines escalation procedures and response timelines.
Can you exclude specific domains or websites from search results?
Can you exclude specific domains or websites from search results?
Yes. We offer flexible content filtering through our
ExcludeDomains API parameter, allowing you to exclude specific domains, competitors, or content sources from search results. Custom exclusion lists can be configured per API key for enterprise clients.What subprocessors or third parties do you use?
What subprocessors or third parties do you use?
We use a limited number of carefully vetted subprocessors, primarily Microsoft Azure (infrastructure) and Google Workspace (internal operations). All subprocessors are SOC 2 certified. A complete subprocessor list is available upon request.
How do you prevent crawling malicious or inappropriate content?
How do you prevent crawling malicious or inappropriate content?
Our AI-powered content filtering identifies and blocks malicious content, malware distribution sites, phishing sites, adult content, and sensitive personal information before indexing or delivery. We respect robots.txt directives and ethical crawling standards, and never circumvent access controls or authentication.
What is your data retention policy?
What is your data retention policy?
Standard retention is 3 years after last interaction for business continuity. Upon contract termination or written request, all customer data is securely purged within 30 days from primary storage and 90 days from backups. Custom retention periods (including immediate deletion with ZDR) can be established based on client requirements.
How do you handle vulnerability management?
How do you handle vulnerability management?
We conduct quarterly vulnerability scans through Bastion Technologies and annual penetration testing. Remediation follows defined SLAs: Critical/High (30 days), Medium (60 days), Low (90 days).
What encryption standards do you use?
What encryption standards do you use?
All data in transit uses TLS 1.2+ encryption, and data at rest is protected with AES‑256 encryption. Encryption keys are managed through enterprise key management services with strict access controls.
Can you crawl content behind paywalls or login walls?
Can you crawl content behind paywalls or login walls?
No. We only index and provide publicly available content. We do not access content behind authentication, paywalls, or registration requirements, in accordance with our Acceptable Use Policy and ethical crawling standards.
Do you perform background checks on employees?
Do you perform background checks on employees?
Yes. Background checks are performed on all newly hired employees where permitted by law. All employees and contractors must sign confidentiality agreements and acknowledge our security policies.
Can you accommodate custom security requirements for enterprise clients?
Can you accommodate custom security requirements for enterprise clients?
Yes. While our standard security controls meet industry benchmarks, we work with enterprise partners to customize incident notification timelines, vulnerability remediation SLAs, compliance reporting, data handling configurations (like ZDR or domain exclusions), and contract terms to align with your specific security and regulatory requirements.