Security & Data Handling
How we handle your data
Transparency about what we protect, how we protect it, and what we don't have yet.
Research Use Only
Cytomaton is not validated for clinical diagnostic use and is not FDA-cleared or CE-marked. It is intended for research applications only.
What we have
Data encryption
- Encrypted at rest (managed database encryption)
- Encrypted in transit (TLS 1.2+)
- AI API keys encrypted server-side (AES-256-GCM)
Access controls
- Row-level security on all database tables
- JWT authentication with email verification
- Service-role isolation (admin vs. user clients)
Data portability
- Export your FCS files anytime
- Full data export (GDPR-compliant)
- Account deletion on request
Infrastructure
- Cloud-hosted managed services
- US data residency
- Automated database backups
- Rate limiting on all API endpoints
What we don't have yet
We believe honesty about our current limitations builds more trust than a polished page that omits gaps.
- —No two-factor authentication — planned for a future release
- —No GxP / 21 CFR Part 11 compliance — not suitable for regulated environments
- —No clinical IVD certification — research use only
- —US-only data residency — EU region planned
- —No SOC 2 or ISO 27001 certification — not yet pursued
- —No offline mode — all analysis requires an internet connection
AI data handling
- AI chat requests are routed through a server-side proxy — your data never leaves our infrastructure unencrypted.
- Our AI providers do not use API inputs/outputs to train models per their API terms of service.
- AI gating uses a per-user k-NN model trained only on your own gate history — no shared models, no cross-user data.
- Bring-your-own API keys are encrypted server-side and never exposed in the browser.
Questions about data handling?hello@cytomaton.ai