← Back to Home
Legal

Data Handling

How we collect, store, process, and protect data across TuningFolks and SurveyAI. Technical controls and audit status.

Compliant
DPDP 2023
Applicable
GDPR
In progress
SOC2

Survey Data Flow

1
Customer scans QR code
No app download. Anonymous session only.
2
Submits 3-question survey
Answers stored as plain text. No name required.
3
Optional contact info
If provided: SHA-256 hashed immediately. Original discarded.
4
Monthly aggregation
All responses grouped by category. No individual records exported.
5
AI report generation
Aggregated counts + themes sent to Claude API. Zero PII in payload.
6
HTML report delivered
Business receives insights only. No raw responses included.

🔒 Data in Transit

ControlStatusNotes
TLS 1.2+ enforcedActiveAll HTTP traffic redirected to HTTPS via Nginx
HSTS headerActivemax-age=31536000; includeSubDomains
Secure cookiesActiveHttpOnly + SameSite=Strict on session tokens

🗄️ Data at Rest

ControlStatusNotes
Encrypted disk volumesActiveGCP persistent disks encrypted at rest by default
SQLite on encrypted volumeActiveNo managed database — no third-party DB access
Weekly encrypted backupActiveAutomated dump to GCP Cloud Storage, private bucket

🛡️ Access Control

ControlStatusNotes
SSH key-only VM accessActivePassword auth disabled on GCP VM
Principle of least privilegeActiveService accounts scoped to minimum required permissions
Admin portal authActiveSession-based auth; no persistent tokens stored client-side

🤖 AI Data Processing

ControlStatusNotes
Pre-aggregation before AI callsActiveSurvey responses aggregated; no individual PII sent to Claude API
Phone/email hashingActiveOne-way SHA-256 hash; original value never stored post-hash
No training data opt-inActiveAnthropic API calls use data that is not retained for model training

Third-Party Sub-processors

Google Cloud PlatformVM hosting, Cloud Storage, Cloud DNSasia-south1 (Mumbai)Yes
Anthropic (Claude API)AI report generation and news classificationUS (API)Yes — data not retained for training
StripePayment processingGlobalYes — PCI DSS Level 1
Let's EncryptSSL certificate issuanceUS (ACME protocol)No PII transmitted
Privacy Policy →Security →Back to Home