Security & Privacy

Built with privacy by default

Security and privacy are not features — they are constraints that shaped every architectural decision. Zero telemetry and TLS everywhere are defaults, not upsells.

Zero Telemetry by Default

Your queries are processed in-memory and never logged, stored, or analyzed without your explicit consent. There is no usage data sent to third-party analytics or advertising systems. Ever.

TLS Everywhere

All API communication is encrypted in transit using TLS 1.3. API keys are hashed at rest using Argon2. No plaintext secrets are stored anywhere in the system.

API Key Security

Keys are scoped by capability (search-only, research, admin). Rotation is instant. Failed authentication is rate-limited with exponential backoff. Keys can be revoked in < 1 second.

Data Handling

API queries are processed in-memory. No query content is written to disk or database on the hosted API.
API keys and user account data are stored in PostgreSQL with Argon2 hashing for secrets.
Usage metrics (request counts, latency) are stored in aggregate — never linked to query content.
Logs retain IP addresses for 7 days for abuse prevention, then are deleted.
No query content is shared with third-party services. Backend search queries to DuckDuckGo, Brave, etc. do not include your API key or user identity.

Compliance & Certifications

Compliant
GDPR (EU)
Data residency in EU available. DPA available on request.
Compliant
CCPA (California)
No sale of personal data. Deletion requests honored within 30 days.
Q3 2026
SOC 2 Type II
Audit in progress. Controls documentation available to Enterprise customers.
Roadmap
ISO 27001
Planned for 2027 with SOC 2 as prerequisite.

Responsible Disclosure

We welcome security researchers. If you discover a vulnerability in Fetchium, please report it privately. We commit to acknowledging reports within 48 hours and resolving critical issues within 7 days.

PGP key: Available on request
Scope: api.fetchium.com, app.fetchium.com, fetchium.com, and open-source crates
Out of scope: Social engineering, physical attacks, third-party services

Questions about security?

Contact Security Team