ReviewerZero
reviewer
zero.ai

Security & Data Protection

At ReviewerZero AI, Inc, accessible from https://reviewerzero.ai, security and data protection are fundamental to our operations. As an early-stage startup, we have implemented a strong security foundation from day one and continuously evolve our security measures based on product needs and client requirements.

If you have questions about our security practices or data protection measures, please contact us at hi@reviewerzero.ai.

Cloud Infrastructure & Compliance

ReviewerZero's backend services and data storage run on Amazon Web Services (AWS), and our web application is hosted on Railway. Our AWS infrastructure benefits from AWS's security and compliance certifications: AWS data centers maintain compliance with SOC 2, ISO 27001, FedRAMP, PCI DSS, and other standards. These certifications belong to AWS as our infrastructure provider and do not themselves represent certifications independently held by ReviewerZero.

All client data is stored in secure AWS environments with strong physical and environmental safeguards. This cloud foundation allows us to scale while maintaining enterprise-grade security and reliability that our university and enterprise clients expect.

Data Encryption & Network Security

We implement comprehensive security measures to protect your data:

  • Encryption in Transit: All communication with the ReviewerZero platform is encrypted using TLS 1.2 or higher
  • Network Controls: AWS Virtual Private Cloud (VPC) security groups act as virtual firewalls, following the principle of least privilege
  • Access Control: Restricted IP ranges and no unnecessary open ports
  • Data at Rest: Manuscripts and files are encrypted at rest in AWS S3 using server-side AES-256 encryption, and stored credentials and API keys are additionally encrypted at the application layer using AES-256-GCM

GDPR Compliance & Data Protection Rights

We are committed to protecting the privacy rights of all users. You have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you
  • Right to Rectification: You can request correction of inaccurate or incomplete data
  • Right to Erasure: You can request deletion of your personal data under certain circumstances
  • Right to Data Portability: On request, we can provide the personal data you supplied to us in a commonly used electronic format. We fulfill these requests manually through support rather than a self-service export tool
  • Right to Object: You can object to certain types of data processing
  • Right to Restrict Processing: You can request limitation of data processing under certain conditions

To exercise any of these rights, please contact us at hi@reviewerzero.ai. We will respond to your request within 30 days.

Legal Basis for Data Processing

We process personal data under the following bases:

  • Contractual Necessity: To provide our research integrity analysis services
  • Legitimate Interest: To improve our services and ensure platform security
  • Consent: Where you have provided explicit consent for specific processing activities
  • Legal Obligation: To comply with applicable laws and regulations

Data Retention & Deletion

We retain personal data only for as long as necessary to provide our services or as required by law. We do not currently enforce fixed retention windows. Instead:

  • Analysis Data: You control how long your analyses are retained through your account settings, including automatic deletion options
  • Account Data: Retained while your account is active, and deleted on request

You can request deletion of your account and associated personal data at any time by contacting us.

Monitoring & Incident Response

We maintain vigilant monitoring of our infrastructure and applications using AWS CloudWatch and related observability tools. Our monitoring includes:

  • Real-time logging of system performance and security indicators
  • Automated alerts for anomalies, errors, or security-relevant events
  • Infrastructure activity logging for our AWS environment using AWS CloudTrail (control-plane events, not in-product user actions)
  • Monitoring dashboards to support incident response

In the event of a data breach that may affect personal data, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR.

Secure Development Practices

Security is integrated into our development workflow through:

  • Private Repositories: All code managed in private GitHub repositories with role-based access control
  • Secret Scanning: Automated detection of credentials or sensitive data in code
  • Dependency Management: Dependabot alerts for known vulnerabilities in third-party libraries
  • Regular Updates: Prompt application of security patches and dependency updates

Third-Party Security Partners

We carefully select third-party services that maintain high security standards and compliance certifications:

  • Amazon Web Services (AWS): backend infrastructure, storage (S3), and email (SES). SOC 1/2/3, ISO 27001, PCI DSS Level 1, and FedRAMP certified
  • Railway: web application hosting
  • Modal: serverless compute for image and ML processing. SOC 2 Type II compliant
  • Roboflow: computer-vision model hosting. SOC 2 Type II certified with HIPAA-ready infrastructure
  • Google (Gemini Developer API): AI model inference. SOC 2 and ISO/IEC 27001 certified
  • OpenRouter: LLM gateway that routes requests to OpenAI and Meta Llama models
  • Perplexity: web-grounded literature and reference search
  • Exa: web and literature search
  • Autumn and Stripe: subscription billing and payment processing. Stripe is a PCI DSS Level 1 Service Provider with SOC 1/2 compliance

We implement third-party services under data processing agreements where required for GDPR compliance. Compliance certifications listed above are held by the respective providers, not by ReviewerZero.

International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where transfers are to countries with adequate data protection
  • Additional safeguards as required by applicable data protection laws

Data Protection Officer & Contact Information

For any questions, concerns, or requests regarding data protection, security, or to exercise your GDPR rights, please contact: hi@reviewerzero.ai

Updates to This Security Policy

We may update this security and data protection policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify users of any material changes and post the updated policy on our website with a revised effective date.

Last Updated: June 5, 2026