Your filings contain material non-public research. We treat them accordingly.
PDFs are kept only for the duration of your active upload session so you can run multiple analysis types on the same files. When you log out or release your upload session, those files are deleted from our servers. They are not retained as a permanent document archive.
FilingLens generates analysis from the documents you provide for your account. Saved analyses in your library store structured output text — not your original PDF files.
Every analysis output is anchored to text extracted from your uploaded file. Analysis prompts require the model to use only your document text; we do not enable web search or external data tools at analysis time, which substantially reduces the risk of fabricated content.
Passwords are hashed with scrypt before storage. Plaintext passwords are never stored and are not written to application logs.
Analysis routes are rate-limited per IP. Upload routes are independently capped. Compare and waitlist endpoints have additional per-IP limits. These limits protect against abuse and API drain.
Only PDF uploads are accepted, with PDF magic-byte verification, up to 25 MB per file (six files per batch). Filenames are sanitised server-side. Ticker symbols are validated against an alphanumeric-and-hyphen pattern (max 10 characters) before processing. Malformed inputs are rejected before reaching the analysis engine.
Upload, analysis, library, and billing actions require a signed-in session. State-changing JSON endpoints use login protection and server-side validation before work is performed.
FilingLens does not store, process, or log your payment card details. All billing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor used by millions of businesses globally.
Subscription plan changes are applied from verified Stripe webhook events. Visiting the checkout success page alone does not upgrade your account.
FilingLens is served at https://filinglens.io. Traffic between your browser and the application is encrypted in transit via HTTPS.
User accounts and saved analyses are stored in PostgreSQL on Render. Database connection strings and credentials are loaded from environment variables, not hardcoded in source or committed to version control.
API keys, database credentials, Stripe secrets, and webhook signing secrets are stored as server-side environment variables only. They are not exposed to the client and are not committed to version control.
If you have specific security questions, compliance requirements, or responsible disclosure to report, contact us directly.
support@filinglens.io