Security

• The analysis tools (fact-check, AI-text detection) never store the submitted document — only the verification result persists, keyed by a content hash.
• Forensic inspections store the document and its result for the retention window, then delete automatically. No document content or extracted personal data enters our searchable index.
• All traffic is HTTPS; data is encrypted at rest.

When you (or an agent) submit a link, the fetch runs behind a strict server-side guard: public http(s) hosts only, every redirect hop re-validated, DNS resolution pinned at connect time, and bodies size-capped while streaming. Internal addresses, cloud metadata endpoints, and private ranges are unreachable by construction.

• No accounts, no tracking identity: your IP is stored only as a one-way salted hash, and production refuses to start if the salt is missing.
• Rate limiting and abuse controls run on those hashes, never raw addresses.

Details in the privacy policy.

• Hosted in Australia (Sydney region) in least-privilege, non-root containers with isolated identities per service.
• The website holds no secrets and reaches no private resources; only the API service carries credentials.
• Identifiers are strictly validated and storage access is exact-key — no enumeration, no traversal.
• Honest failure: missing dependencies degrade with a labeled note in the result, never silently.

Found something? Email gaurav@stipple.sh with steps to reproduce. We read every report and fix verified issues fast — recent reporter-credited fixes ship within days and appear in the changelog.