Security & Privacy
How GEM² protects your data
Security and privacy across every service — from account credentials to AI content processing.
Your credentials
How we store and protect your account information.
Your Password
- ✓Hashed with an industry-standard one-way function before storage
- ✓Never stored, logged, or transmitted in plaintext — even we cannot reverse it
- ✓Password reset uses a random 256-bit token, hashed before storage, valid for 15 minutes
Your Email Address
- ✓Never stored in plaintext in the database
- ✓Lookup uses a keyed cryptographic hash (blind index) — allows account lookup without knowing your email
- ✓Display uses AES-256-GCM encryption at rest with a separate server-side key
- ✓A database breach exposes only encrypted ciphertext and irreversible hashes
Your GEM² API Keys
- ✓Shown exactly once at creation — we cannot retrieve it after that
- ✓Stored as an irreversible SHA-256 hash
- ✓Only a short prefix is kept for dashboard identification
- ✓Revoking a key is immediate and permanent
Your LLM Provider Keys
OpenAI, Anthropic, GoogleKey differentiator- ✓Never stored in any database — not even encrypted
- ✓Entered via OAuth consent form, encrypted immediately with AES-256-GCM
- ✓Held only in your session token, carried by your client — not our servers
- ✓A complete server breach cannot expose your LLM keys
Your Session Tokens
- ✓Short-lived access tokens, signed and verified cryptographically
- ✓Refresh tokens are hashed, rotated on every use, and revoked immediately when replaced
- ✓Admin can invalidate all sessions for a user instantly
Your content
What happens to the text you process through TPMN Checker.
Default behavior
Your text is processed, scored, and returned. Nothing is saved.
Telemetry
Fully anonymized — tool name, score, duration, and an irreversible hash of your input. No raw text, no email, no user ID.
Opt-in content logging
If you consent: inputs and responses are stored for calibration. Encrypted at rest, auto-deleted after 90 days, immediately purged if you revoke consent. Never shared, sold, or used for model training.
Your identity in Checker
Only a UUID — your email never touches TPMN Checker's database. Production logs anonymize to irreversible hashes.
Infrastructure
How we secure the platform itself.
Security roadmap
We're Pre-GA. Here's what we're building toward General Availability.
Argon2id password hashing
PlannedOWASP primary recommendation — memory-hard, GPU-resistant
Dedicated Key Management Service
PlannedHardware-backed key storage separate from application infrastructure
Shorter access token windows
PlannedTighter token lifetimes with seamless background refresh
Full audit log
PlannedTamper-proof records of all administrative and access events
SOC 2 Type II compliance
PlannedFormal third-party audit of security controls and processes
Multi-region deployment
PlannedGeographic redundancy beyond the current Tokyo region
Summary
| Data | Protection | Reversible? |
|---|---|---|
| Password | One-way hash (bcrypt) | No |
| Blind index (HMAC) + encryption (AES-256-GCM) | Index: No / Encrypted: Yes (server key) | |
| GEM² API keys | SHA-256 hash | No |
| LLM provider keys | Not stored (ephemeral in session token) | N/A |
| Session tokens | Cryptographic signing + one-way hash | No |
| Processed content | Not stored (default) / encrypted at rest (opt-in) | N/A |
For vulnerability reports, see our Responsible Disclosure policy. For data handling terms, see our Privacy Policy.
Questions? david@gemsquared.ai