Trust & Security — Partsift

At a glance

Tenant data isolationMulti-tenant by design — every query and write filters by tenant_id

Encryption in transitTLS 1.2+ for all API and dashboard traffic

Encryption at restAES-256 (managed by hosting provider)

AuthenticationBcrypt-hashed passwords; signed JWT for dashboard sessions

BackupsDaily snapshots, 7-day retention

Status pageLive status & incidents

Data we collect

Catalog data — product names, descriptions, specs, prices, images, URLs we crawl from your site or you upload via CSV.
Search analytics — queries customers run on your site, click-throughs, response timings.
Account data — workspace name, domain, user emails and password hashes for the dashboard.

We do not use your catalog or query data to train models that serve other tenants. Embeddings and rerank scores are computed and stored per-tenant.

Sub-processors

The third parties that process customer data on our behalf:

Sub-processor	Purpose	Data scope	Region
OpenAI	Query intent parsing, hypothetical-document generation, embeddings	Search queries, product text snippets	USA
Fly.io	Application hosting	All catalog and analytics data	Customer-selected region
Supabase	Postgres database + authentication	All catalog and account data	Customer-selected region
Formspree	Marketing-site contact form processing	Email + free-text inquiry only	USA

Compliance & certifications

We're an early-stage company. Here's the honest current state:

SOC 2 Type II: Planned 2026 — we'll begin the observation window once we have a stable production load from paying customers.
ISO 27001: Planned 2027
GDPR / CCPA: covered by our Privacy Policy. Data subject access requests via privacy@partsift.com.
HIPAA / PCI: not in scope — we don't process protected health information or cardholder data.

If you're under procurement and need a security questionnaire filled out, we'll do it within five business days. Email security@partsift.com.

Data Processing Agreement (DPA)

Our standard DPA mirrors the EU SCCs and incorporates the sub-processor list above. Email legal@partsift.com with your entity name and we'll send a counter-signed copy within two business days. We can also countersign your DPA template if you have one.

Reporting a vulnerability

If you find a security issue, send a private note to security@partsift.com. We acknowledge within one business day and try to triage within five. We don't have a paid bounty program yet, but we will recognize you publicly (with consent) and credit your finding in the changelog.

Incident response

If we have an incident affecting your data, we will notify you within 72 hours of discovery via the email on your account, with a description of what was affected, what we know about scope, and what we're doing about it.

Partsift · This page reviewed April 27, 2026.