Trust Center

Privacy, security, compliance — in one page

Every legal, security, and operational disclosure is published on this site as both a human page and a machine-readable mirror at a stable /.well-known/ path. Procurement teams, AI agents, and security researchers can all start here.

Legal

What we collect, how long we keep it, who processes it on our behalf.

Use rules for the website, dashboard, MCP server, and Agent Credits.

Data Processing Agreement/dpa/.well-known/dpa.json

GDPR Art. 28 DPA template; counter-signed copy on request.

Security

Security Overview/security

How we protect subscriber email, Stripe customer IDs, and share-token endpoints.

Coordinated Vulnerability Disclosure/disclosure/.well-known/disclosure.json

How to report, what's in scope, response SLA, safe harbor.

security.txt (RFC 9116)/.well-known/security.txt/.well-known/security-policy.json

Canonical disclosure contact + JSON mirror.

Compliance

Subprocessors/subprocessors/.well-known/subprocessors.json

Stripe, Vercel, Resend, PocketBase/Hetzner, PostHog (EU), GitHub, Cloudflare, Anthropic, Coinbase. Roles + DPAs + regions.

Compliance Posture/.well-known/compliance.json

GDPR, CCPA, HIPAA, PCI, SOC2 status; data-residency; retention.

AI / Data-Use Policy/ai.txt/.well-known/ai-policy.json

Per-bot rules; training-data posture; CC BY 4.0 license terms.

Transparency

Annual Transparency Report/transparency/.well-known/transparency.json

Government data requests, takedown demands, breaches — published yearly with explicit zeros.

Service Status/uptime

Live uptime + freshness signals + last-modified watermarks.

Corrections Log/corrections

Public log of every signal correction we've issued and the rationale.

Email & Tracking

MTA-STS Policy/.well-known/mta-sts.txt

RFC 8461. Mail to @gitdealflow.com must be delivered over TLS or rejected.

Do-Not-Track Compliance/.well-known/dnt-policy.txt

We honor the EFF DNT Policy v1.0 for any browser/agent that sends DNT: 1.