Trust Center

Security & Compliance

Last updated: May 31, 2026

Private by design. The most powerful privacy control is keeping data off our servers entirely. Your chat history stays on your device, and screen captures are analyzed in real time and then discarded. Less data stored means less data at risk.

Compliance status

HeyScreen's controls are designed to align with the SOC 2 Trust Services Criteria. Our compliance posture today:

SOC 2 Type II — in progress PCI-DSS handled by Stripe CCPA/CPRA ready PIPEDA ready Encryption in transit (TLS)

SOC 2 is an independent audit performed by a licensed CPA firm. We will update this page and make our report available under NDA once our audit is complete. To request our current security documentation or audit status, contact security@heyscreenai.com.

SOC 2 Trust Services Criteria

How our practices map to the five SOC 2 criteria:

Security

Encryption in transit, secure authentication (OIDC, no passwords stored by us), least-privilege access, rate limiting, and abuse prevention.

Availability

Hosted on managed cloud infrastructure; we are implementing monitoring and backup controls to support availability and recovery of essential account data.

Processing Integrity

Requests are processed accurately and only for the purpose you initiate; AI outputs are clearly assistive and not automated significant decisions.

Confidentiality

Data minimization (chat content stays on your device), restricted internal access, and contractual confidentiality with subprocessors.

Privacy

Collection limited to what's needed, honoring US and Canadian privacy rights — see our Privacy Policy.

Our security controls

Encryption in transit: all traffic is served over HTTPS/TLS.
Authentication: handled via OpenID Connect (Log in with Replit). We never see or store your passwords; sessions use secure, httpOnly cookies.
Data minimization: we do not store chat history or screenshots on our servers. Conversations live only on your device.
Access control: least-privilege access to production systems and data.
Payments: processed by Stripe (a PCI-DSS Level 1 provider). We never handle full card numbers.
Abuse prevention: request rate limiting and monitoring.
Vulnerability management: we maintain dependencies and review for known vulnerabilities.

Subprocessors

Provider	Purpose	Relevant compliance
Anthropic (Claude)	AI inference on submitted content	Commercial terms: API data not used to train models
Replit	Authentication (OIDC) & hosting	Platform security & SSO
Stripe	Subscription billing	PCI-DSS Level 1

Regulatory frameworks we support

United States: CCPA/CPRA and comparable state privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, and others) — we honor access, deletion, correction, and opt-out rights, and we do not sell or share personal information.
Canada: PIPEDA and provincial laws including Quebec's Law 25 — consent-based processing, access and correction rights, and a designated privacy officer.
Payments: PCI-DSS via Stripe.
AI governance: transparency about AI use, human oversight of outputs, and acceptable-use safeguards (see Terms).

Incident response & reporting

We maintain procedures to detect, investigate, and respond to security incidents and will notify affected users and regulators where required by law. If you discover a vulnerability, please report it responsibly to security@heyscreenai.com and allow us reasonable time to remediate before public disclosure.

Contact

Security & compliance inquiries: security@heyscreenai.com. Privacy requests: privacy@heyscreenai.com.