Data security
Last updated: 12 June 2026
AIPR keeps your unpublished work yours. This page states what protects a manuscript at each step, from upload to finished review, and the deployment options your institution controls.
- Browser
- API (TLS)
- Encrypted store
- LLM provider
Bring-your-own model endpoint (rolling out): Your organization supplies its own OpenAI or Azure token. LLM calls route to your endpoint, and manuscripts remain in aipr's encrypted store.
- Review
No training on your data
Submitted content is excluded from model training on every tier.
We never use your submitted content to train a model. Neither do the model providers we route to. AIPR runs under standard commercial API terms, which contractually exclude your prompts and documents from any training or fine-tuning. This holds for every reviewer, every manuscript, on every tier.
Encryption in transit and at rest
TLS 1.2 or newer on every connection, encrypted backups, bcrypt password hashes, HMAC-signed cookies.
All connections use TLS 1.2 or newer. Database backups are encrypted at rest before upload to object storage. Passwords are stored as bcrypt hashes. Sessions use HMAC-signed, HttpOnly/Secure cookies with SameSite=Lax.
Retention windows
Anonymous uploads are deleted after 7 days; account data is removed within 30 days of account deletion.
Anonymous uploads (no account attached) are deleted after 7 days. Account-attached papers and reviews are kept for as long as the account is active. Deleting the account removes the associated personal data within 30 days. The model provider may retain a request for around 30 days for abuse monitoring. On accounts where zero data retention is enabled, that window is removed and content is dropped immediately after the response.
Deletion on request
Data export, account deletion, and review takedown by email; deletions complete within 30 days.
You can request a copy of your data, an export of your reviews, an account deletion, or a takedown of a review you authored, by emailing [email protected]. We respond within five working days. Deletions complete within 30 days.
Verified backups
Tiered 7 daily / 4 weekly / 3 monthly backups with recurring verified restores.
Encrypted backups follow a tiered retention of 7 daily / 4 weekly / 3 monthly snapshots and are tested on a recurring restore cadence.
Deployment options
Hosted by default, bring-your-own model endpoint rolling out, full on-premise deployment available on request.
Standard hosted (available): AIPR runs on our managed keys under the no-training terms. This is the default and needs nothing from your side. Bring-your-own model endpoint (rolling out): Your organization supplies its own OpenAI or Azure token. LLM calls route to your endpoint, and manuscripts remain in aipr's encrypted store. Full on-premise deployment (available on request): AIPR runs inside your own environment as a separate engagement, so review content never leaves your boundary. Across every option, additional model providers supported on request.
Sub-processors held to least data
A small set of vendors, each seeing only what its job requires.
The full list, with regions and policy links, is in the data processing agreement.
OpenAIDigitalOceanStripeResendGoogle Analyticsconsent-gatedOpenAI
- Receives:
- Receives the manuscript text and returns the structured review.
- Purpose:
- Performs the model inference that generates the review, under enterprise API terms with no training on submitted content.
- Region:
- United States
DigitalOcean
- Receives:
- Holds stored papers, reviews, account records, and encrypted database backups.
- Purpose:
- Application hosting, managed PostgreSQL, and Spaces (S3-compatible) blob storage. SOC 2 Type II certified.
- Region:
- European Union and United States
Stripe
- Receives:
- Handles checkout end-to-end. We receive a customer reference and entitlement records, never card data.
- Purpose:
- Payment processing.
- Region:
- United States
Resend
- Receives:
- Sees the recipient address and the content of each transactional email.
- Purpose:
- Transactional email delivery.
- Region:
- United States
Google Analytics
- Receives:
- Sees anonymized, aggregate traffic measurements. No manuscript content reaches it.
- Purpose:
- Aggregate, anonymized traffic measurement on the public site, never used for advertising.
- Region:
- Global
Payments without card data
Stripe handles checkout end-to-end; card data never reaches aipr.
Stripe handles checkout end-to-end. We receive a customer reference and entitlement records, never card data.
Server logs bounded at 30 days
Standard request logs are kept for 30 days, then deleted.
Standard server logs (IP address, user agent, request path) are kept for 30 days for debugging and abuse response, then deleted.
The terms behind these points are set out in the data processing agreement, and the data policy covers the same facts for individual reviewers. Questions: [email protected].