Security & Trust

How we protect your content and comply with EU privacy law.

Encryption in transit

  • All traffic is served over HTTPS with HTTP Strict Transport Security (HSTS) enforced for two years, including subdomains, and submitted for preloading.
  • Non-HTTPS requests received in production are redirected to HTTPS at the application edge.

Secrets management

API keys, OAuth client secrets, and webhook signing secrets are injected at runtime from the deployment environment. They are not committed to source control.

Application security

  • Strict HTTP security headers on every response: Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy (camera/microphone/geolocation disabled), HSTS.
  • Authentication via NextAuth.js with JWT sessions and Google OAuth.
  • Rate limiting on public and sensitive API endpoints (/api/fact-check, /api/extract-url, /api/contact).
  • Role-based access control for administrative functionality, enforced in middleware.
  • Stripe webhooks are verified using the Stripe signature header and a dedicated webhook secret.

Model providers & your content

When you run a fact-check, the text you submit is sent to our inference provider (OpenRouter) to invoke the underlying language model. We do not instruct the provider to train on your content, and we do not share your content with any party other than our listed sub-processors for the purpose of providing the service.

Sub-processors

We rely on the following sub-processors to deliver the service:

Sub-processorPurpose
OpenRouter, Inc.Language model inference for fact-checks (routes to underlying model providers)
Stripe, Inc.Subscription and payment processing
Google LLCOAuth sign-in (authentication only)
Resend, Inc.Transactional email delivery

Each sub-processor handles data under its own terms and, where applicable, relies on the EU Standard Contractual Clauses for any transfers outside the European Economic Area. We will post notice of any material change to this list on this page.

Retention & deletion

  • Fact-checks and their results are retained for the lifetime of your account so you can return to them from your history.
  • Deleting your account from Settings removes your user record and all data related to it — fact-checks, events, run balance, transactions, subscriptions, templates, and share links — via database-level cascading deletes.
  • The same request also cancels any active Stripe subscription and deletes the corresponding Stripe customer.
  • Invoicing and tax records retained by our payment processor are kept in accordance with applicable law.

Vulnerability Disclosure

If you believe you have found a security vulnerability in FactMatters, please email contact@serpact.com with a detailed description and steps to reproduce. We will acknowledge your report within two business days and keep you informed as we investigate.

Please do not perform denial-of-service testing or access data that does not belong to you.

Compliance

We are committed to the EU General Data Protection Regulation (GDPR). Our Data Processing Addendum is available to any customer that requires one. For privacy-related questions or to exercise your rights under GDPR, contact contact@serpact.com.