Legal

Security

Last updated: March 19, 2026.

Our Approach

Étincel is a production platform that handles sensitive creative work. We treat security as a foundational requirement, not an afterthought. This page documents how we protect your data and the practices we maintain to keep the platform safe.

We are a small team. That means fewer attack surfaces, tighter access control, and no large internal footprint to manage. We compensate for early-stage resource constraints by using security-mature infrastructure providers and automated tooling wherever possible.

Security Practices

Encryption at rest

All user data and manuscript content is encrypted at rest using AES-256 within our Neon PostgreSQL database.

Encryption in transit

All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher. We enforce HTTPS sitewide with HSTS.

Authentication

Passwords are hashed using bcrypt before storage. We never store plaintext credentials. Sessions use short-lived, signed tokens.

Access controls

Production database access is restricted to infrastructure-level service accounts. No individual employee has unrestricted access to user data.

Dependency management

We use automated tooling to monitor open-source dependencies for known vulnerabilities and update them on a regular cadence.

Audit logging

All agent actions, data access events, and administrative operations are logged with timestamps and actor context.

Infrastructure

The Étincel platform runs on Vercel for application hosting and Neon for PostgreSQL database services. Both providers maintain SOC 2 Type II certifications and operate with industry-standard physical and logical security controls.

Our database is not publicly accessible. Connections are routed through authenticated, encrypted channels. We use connection pooling and prepared statements to guard against injection attacks.

Agent Isolation

Each agent in the Étincel pipeline operates within a scoped execution context. Agents are not granted broad system access. They read and write only the data objects explicitly required for their function, and they cannot initiate network requests outside of approved integrations.

For a full description of how agent capabilities are bounded and audited, see our Agent Operations page.

Third-Party Integrations

We limit third-party integrations to those essential for the platform to function. Each integration is reviewed for its data access scope before use. We do not use integrations that require broad, persistent access to your external accounts.

Payment processing is handled entirely by Stripe. No card data passes through our servers.

Incident Response

In the event of a security incident that affects user data, we will notify affected users by email within 72 hours of becoming aware of the breach. Notifications will include the nature of the incident, the data involved, and steps we are taking to address it.

We maintain a documented incident response process and review it following any security event.

Responsible Disclosure

If you discover a potential security vulnerability in the Étincel platform, please report it to security@etincel.co before disclosing it publicly. We will acknowledge your report within 48 hours and work with you on an appropriate timeline for disclosure.

We do not currently operate a formal bug bounty program, but we are grateful to researchers who help us improve and will recognize meaningful contributions.

What We Do Not Do

  • We do not sell your data to any third party
  • We do not use your manuscript content to train models
  • We do not retain data beyond the periods described in our Privacy Policy
  • We do not grant external parties access to your content without your explicit consent or a legal obligation

Questions

For security-related questions, reach us at legal@etincel.ai.

Privacy Policy·Terms of Service·Agent Operations