Security & data

Auditing the open web, responsibly.

ArticleGrade fetches live pages for a living, so the way we fetch, what we keep, and who we share it with are first-order concerns. Here's the plain version.

Last updated · June 2026
01

How we fetch

Auditing a URL means fetching arbitrary pages from the open internet. That's a classic server-side request forgery (SSRF) surface, so the fetch layer is hardened against it by design:

  • Private targets are blocked. Loopback, private (RFC-1918), link-local and cloud-metadata addresses are rejected before any connection is opened — including IPv4-mapped, NAT64 and 6to4 representations.
  • DNS is pinned at connect time. We resolve once and open the socket to the exact address we validated, closing the DNS-rebinding window where a name re-resolves to a private IP mid-request.
  • Every redirect is re-validated. A public URL that 30x-redirects to an internal address is caught at each hop, not just the first.
  • TLS is verified against the original hostname, and request size is capped to prevent resource-exhaustion.
02

What we store

We fetch the live page to audit it, and we store the audit result — the score, the issues, and a snapshot of the audited content — so it renders in your dashboard and history. That's it.

  • Account data: the email and workspace details you provide.
  • Audit data: the URLs you audit and their results, scoped to your workspace and isolated from other tenants.
  • No payment-card data touches our servers — billing is handled by our payments processor.

You can request export or deletion of your workspace data at any time by contacting us.

03

We don't train on your content

Your content is audited, not absorbed. We do not use your pages, audits, or account data to train models, and we do not opt into any training or data-retention programs with the model providers we use.

The audit itself runs through large-language-model subprocessors; we send them the page content needed to score it and configure those integrations so the content is not retained for model training.

04

Subprocessors

We keep the stack deliberately small. The third parties that may process content or account data:

Anthropic

Claude — the quality & factual audit. Receives page content to score it.

Google

Gemini — the SEO & structure screen. Receives page content to score it.

Cloud hosting

Runs the application and stores audit data, encrypted in transit via TLS.

Payments & email

Subscription billing and transactional email — they never receive page content.

05

Infrastructure & access

  • Encrypted in transit. All traffic to the app and API is served over TLS.
  • Firewalled origin. The application port isn't exposed to the public internet — traffic only reaches it through the front-end proxy.
  • Rate-limited. Public and authenticated endpoints are rate-limited to prevent abuse, with a stricter bucket on the anonymous grader.
  • Least-privilege access. Administrative access is limited and credentials are rotated.

We're an early-stage company building toward formal certification (SOC 2) for enterprise customers. We'd rather tell you exactly what we do today than claim a badge we haven't earned — if you have specific requirements, talk to us.

06

Reporting an issue

If you believe you've found a security vulnerability, please email security@articlegrade.com with the details. We'll acknowledge it and work with you in good faith to resolve it, and we won't pursue researchers acting in good faith.

Questions about data or compliance?

Tell us your requirements — we'll give you straight answers, not a runaround.