Security
Security and Data Handling
The Service is designed with safeguards for account access, organization workspaces, generated documents, billing workflows, and operational records.
Last updated: May 20, 2026.
This Security and Data Handling statement describes safeguards that ValuSift is designed to use to protect accounts, generated documents, and operational data. It is provided for transparency and does not modify the Terms of Service or Privacy Policy.
Security Overview
The Service is designed with safeguards intended to protect account access, organization workspaces, generated documents, billing workflows, and operational records. These safeguards include authenticated access, organization-based authorization, session protections, CSRF protection, password requirements, rate limits, audit logging, restricted storage paths, and controlled document download and preview endpoints.
No website, application, network, infrastructure provider, or storage system can be guaranteed to be completely secure. We cannot promise that the Service will be uninterrupted, error-free, immune from attack, or that information will never be accessed, disclosed, altered, or destroyed by unauthorized parties.
Production Infrastructure and HTTPS
The production Service is intended to run on managed hosting or cloud infrastructure and to be accessed only over HTTPS. HTTPS helps protect traffic in transit between users and the Service. Local development, testing, or administrative environments may differ from production configuration.
We use infrastructure, application, and operational controls that are designed to reduce risk, but users remain responsible for securing their own devices, browsers, networks, credentials, and authorized users.
Account and Session Protection
Accounts require passwords that meet minimum complexity requirements. Passwords are stored as password hashes rather than plaintext passwords. The Service uses HTTP-only session cookies, SameSite cookie settings, CSRF tokens for state-changing requests, a 1-hour inactivity timeout, and rate limits on sensitive workflows such as login, registration, password changes, job creation, downloads, previews, filing lookups, company searches, dataset downloads, and feedback submission.
The Service does not currently provide multi-factor authentication. Users should choose strong, unique passwords and protect their email accounts and devices.
Workspace and Access Controls
Generated documents and jobs are associated with an organization workspace. Authenticated endpoints generally enforce organization ownership checks before allowing access to generated documents, previews, job status, history, datasets, or other workspace content. Admin users may have broader access for operational, support, security, legal, abuse-prevention, and account-administration purposes.
ValuSift personnel, contractors, or administrators may access account information, generated document metadata, generated files, logs, jobs, usage records, billing records, or feedback when reasonably necessary to operate, secure, support, debug, enforce, improve, or comply with legal obligations relating to the Service.
Generated Documents and Storage
Generated workbooks, redlines, previews, and related metadata are stored so authorized users can re-open or download retained outputs. Generated documents currently expire after one year unless deleted or removed earlier for operational, security, legal, abuse-prevention, or account-administration reasons.
Direct web access to storage directories is denied. Downloads and previews are served through authenticated PHP endpoints with ownership checks and storage path validation. The app sets frame-denial headers for general pages, with a scoped same-origin framing exception for document previews so generated redline and workbook previews can render inside the application.
Backups, Retention, and Disposal
Production infrastructure is expected to include backups and recovery processes. Backup systems are intended to support operational resilience, but we do not guarantee that every file, record, version, or generated document can be restored in every circumstance.
Runtime caches and temporary files are cleaned separately from generated document retention. Current defaults include one-year generated document retention, 30-day runtime cache retention, and 24-hour temporary-file retention, subject to configuration and operational needs.
Payment Security
Payment processing is handled by Stripe or another payment processor we designate. The Service does not intentionally store full payment card numbers. Payment workflows may store payment processor identifiers, subscription status, checkout metadata, plan information, billing period information, and related records needed to operate subscriptions and billing.
Provider Requests and Source Data
The Service retrieves public filing, market, Treasury, institutional ownership, and related data from third-party sources such as SEC EDGAR, Yahoo Finance, Nasdaq, FRED, and other providers. To comply with SEC EDGAR access expectations, provider requests may include contact metadata such as a User-Agent containing an email address. Depending on the workflow and configuration, that email address may be your verified account email or a configured ValuSift contact email.
Analytics and Marketing Measurement
The Service and our emails may use analytics tags, cookies, pixels, web beacons, tracked links, or similar technologies where enabled. These tools are used for measurement, troubleshooting, campaign attribution, product improvement, and communication performance; they are not security controls. Do not include confidential, material non-public, personal, regulated, or highly sensitive information in URLs, query strings, feedback fields, or other areas where it may be reflected in logs, analytics metadata, or email engagement records.
Audit Logs and Monitoring
The Service records audit and operational events for activities such as login, registration, logout, password changes, policy acceptance, generated jobs, document downloads, dataset downloads, admin actions, maintenance changes, feedback, billing events, and error handling. These records are used for security, troubleshooting, abuse prevention, support, compliance, and account administration.
Incident Response
We maintain operational processes intended to identify, investigate, contain, and respond to suspected security issues. If we determine that notice of a security incident is legally required, we will provide notice consistent with applicable law.
To report a security concern, contact valusift@gmail.com. Please include enough detail for us to understand and investigate the issue. Do not publicly disclose a suspected vulnerability or access, alter, delete, copy, or exfiltrate data that does not belong to you.
User Responsibilities
You are responsible for using the Service securely. This includes protecting credentials, using strong unique passwords, limiting access to authorized users, reviewing organization membership, signing out on shared devices, securing your devices and networks, and promptly notifying us if you suspect unauthorized access.
Do not submit confidential, material non-public, personal, regulated, export-controlled, or highly sensitive information unless you have independently determined that the Service is appropriate for that use. The Service is designed primarily for public-source financial research workflows and generated outputs based on public or user-selected source data.
Security Contact
Security questions or concerns may be directed to valusift@gmail.com.