Does Cited encrypt customer data at rest?

Yes. Customer data stored in our managed databases and object storage is encrypted at rest using AES-256, and all traffic between your browser and Cited uses TLS 1.2 or higher.

Is Cited SOC 2 certified?

Cited's security program is structured around the SOC 2 Trust Services Criteria, and we are working toward SOC 2 Type II certification. A current posture summary is available to prospects under NDA — email security@youcited.com.

Is Cited GDPR-compliant?

Cited is structured to support GDPR Data Subject Access Requests including access, rectification, deletion, and portability. We act as a data processor under the GDPR and a standard DPA is available for enterprise customers.

How long does Cited retain customer data?

Customer-supplied business data is retained for the lifetime of your account and is removable on request. When you delete a business, associated audits and recommendations are permanently removed within 30 days; account closure triggers full data deletion within the same window.

Who are Cited's subprocessors?

Our current subprocessors are Amazon Web Services (infrastructure), Stripe (billing), SendGrid (transactional email), and Google (marketing-page analytics only). The current list is available on request to security@youcited.com.

How do I report a security vulnerability?

Email security@youcited.com with a description of the issue and reproduction steps. We aim to triage reports within two business days and follow responsible-disclosure practices.

Security & Trust

Cited handles customer-supplied site content and AI-query metadata. We treat protecting that data as a first-class engineering responsibility. This page summarizes our security posture so procurement, compliance, and security teams have what they need to evaluate Cited.

1. Encryption in transit and at rest

All traffic between your browser and Cited is served over TLS 1.2 or higher. Customer data persisted in our managed databases and object storage is encrypted at rest using AES-256.

Internal service-to-service traffic inside the Cited platform runs over the AWS private network and is also encrypted in transit.

2. Access controls

Production systems are restricted to a small set of Cited engineers under role-based access control. Access is reviewed periodically and revoked promptly when role changes warrant it.

MFA required for all production-system access.
Audit logs retained for production access events.
Customer-tenant isolation enforced at the database row-level and at the API authentication boundary.

3. Data retention and deletion

Customer-supplied business data (sites you've added, audits you've run, recommendations generated) is retained for the lifetime of your account and is removable on request.

Delete a business from the app and its associated audits and recommendations are permanently removed within 30 days.
Close your account and we initiate full data deletion within 30 days, except for records we are required to retain (e.g., billing records under tax law).
Backups are rotated on a fixed schedule; deleted data ages out of backups within the rotation window.

Need an explicit data deletion confirmation for compliance purposes? Email [email protected] and we'll respond with the deletion record.

4. GDPR readiness

Cited is structured to support GDPR Data Subject Access Requests (DSARs) including access, rectification, deletion, and portability.

Data export available on request — emails to [email protected] are routed to an engineering owner.
We act as a data processor under the GDPR with respect to information you input about your business or your customers' sites.
A standard DPA is available for enterprise customers.

5. SOC 2 posture

Cited's security program is structured around the SOC 2 Trust Services Criteria. We are working toward SOC 2 Type II certification and can provide our current security policy summary, posture overview, and remediation plan to prospects under NDA.

If your procurement process requires a SOC 2 report, contact [email protected] and we'll route you to the right artifacts.

6. Subprocessors

Cited uses a small number of established subprocessors to deliver the platform. The current list:

Amazon Web Services (AWS) — primary infrastructure (compute, database, object storage).
Stripe — billing and subscription management.
SendGrid — transactional email.
Google (Tag Manager, Analytics) — usage analytics on marketing pages only.

The current subprocessor list is available on request to [email protected]. We notify enterprise customers in advance of material changes.

7. Vulnerability reporting and incident response

We welcome reports of security issues. Email [email protected] with a description of the issue and reproduction steps. We aim to triage within two business days.

We commit to investigating reports in good faith.
We will not pursue legal action against researchers who follow responsible-disclosure practices.
In the event of a material security incident affecting customer data, we will notify affected customers without undue delay.

8. Contact

Security inquiries, compliance documentation requests, and incident reports:

Cited Inc.
Email: [email protected]
Website: https://youcited.com