Security & Compliance

Where does my data live, and how is it protected?

On free tools, your data stays in your browser. With an account and cloud sync, your saved data is stored on our cloud infrastructure (Amazon Web Services, U.S. region). All traffic runs over HTTPS/TLS (encryption in transit), and access to production systems and customer data is limited to personnel who need it to operate the Service.

How are payments handled?

Payments are processed by Stripe, a PCI-DSS Level 1 service provider. Card data is sent directly to Stripe; we do not store full payment-card numbers on our systems.

Are you SOC 2 / ISO 27001 / PCI / HIPAA certified?

No — not at the product level. Our infrastructure providers maintain environments built and independently audited against recognized frameworks (e.g. ISO 27001, SOC 2, NIST), and Stripe carries PCI-DSS compliance for payments. But the Service itself is not certified or audited under any of these standards, and no plan or subscription confers compliance or a certification. The Service is also not intended for regulated data such as HIPAA-protected health information — see our Terms ("Compliance & certifications").

Who else touches my data?

A short list of vetted sub-processors (hosting, payments, analytics/ads, email). See the live Sub-processors page, and ask to be notified of changes.

Do you use my data to train AI?

We do not sell your personal data, and we don't use the personal content you store to train third-party AI models. We may use aggregated and de-identified data to operate and improve the Service. Our chatbot processes your messages to answer you; see the Privacy Policy for details.

How long is data kept, and can it be deleted?

We keep data as long as needed to provide the Service and meet legal obligations. You can delete your account and associated data; data stored only in your browser is cleared when you clear it. See Privacy for retention details and your rights.

Do you back up data?

We operate routine backups of our production systems for resilience. They are for our operational recovery and are not a substitute for your own records — you remain responsible for keeping copies of anything important (see the Terms).

How is access controlled?

Access to production and customer data is restricted to authorized personnel on a need-to-know basis, over encrypted connections. Accounts are protected by your credentials, which you are responsible for keeping secure.

What happens if there's a security incident?

We have a process to detect, contain, assess, and notify. If a breach affects your personal data, we notify affected users and controllers without undue delay as required by law. See our Incident & Breach Notification policy.

How do I report a vulnerability?

Email legal@digitaltallycounter.com. Please give us a reasonable chance to respond before any public disclosure, and don't access data that isn't yours while testing.

I need a DPA, a security questionnaire completed, or formal docs.

For business and organizational use, our Data Processing Agreement applies automatically and a counter-signed copy is available on request. For security questionnaires, a DPA, or a custom arrangement, contact legal@digitaltallycounter.com — see also "What we build" in the Trust Center. We do not offer a contractual uptime SLA for self-service plans; SLAs are available only under a separate signed enterprise agreement.