Skip to main content

Security

Your data security is non-negotiable

Extraktr is built from the ground up to protect your conversation data. We never train on your content, encrypt everything, and give you full control.

Encryption in transit and at rest

All data transmitted between your browser and our servers is encrypted via TLS 1.2+. Data stored on our infrastructure is encrypted at rest using AES-256.

No model training on your data

We do not use your conversation content to train, fine-tune, or improve machine learning models. Your data is processed exclusively to deliver your extraction results.

Ephemeral processing by default

For unauthenticated users, raw conversation content is not persisted after extraction completes. The input is processed in memory and discarded.

Access controls

Internal access to production systems is restricted to authorized personnel with role-based permissions. We follow the principle of least privilege across all infrastructure.

Third-party processing

We use OpenAI's API for natural language processing when you use Extraktr-managed processing (the default). OpenAI's API data usage policy prohibits use of API inputs for model training. If you enable optional local HTTP inference in account settings, formatted extraction requests are sent only to the endpoint you configure—that system is not operated by Extraktr and is outside our usual NLP subprocessors for that step. We do not otherwise share your data with third parties for extraction.

Secure authentication

We use Google OAuth 2.0 for sign-in. We never store passwords. Session tokens are encrypted and expire automatically.

Compliance posture

Extraktr follows industry-standard security practices designed to meet the expectations of enterprise teams. We are actively working toward formal certifications.

SOC 2 Type II

In progress

Working toward formal certification with auditing partner.

GDPR

Compliant

Data minimization, user rights, and lawful processing basis in place.

Data Processing Agreement

Available

Custom DPAs available for Team and volume customers on request.

Penetration testing

Scheduled

Third-party penetration testing planned as part of SOC 2 preparation.

Responsible disclosure

If you discover a security vulnerability in Extraktr, we encourage responsible disclosure. Please report findings to security@extraktr.com.

  • Include a detailed description of the vulnerability, steps to reproduce, and potential impact.
  • We aim to acknowledge reports within 2 business days and provide an initial assessment within 5 business days.
  • We will not pursue legal action against researchers acting in good faith.
  • We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Subprocessors

The following third-party services process data on behalf of Extraktr:

ServicePurposeLocation
OpenAINatural language processing for extractionUnited States
Google OAuthUser authenticationUnited States
VercelApplication hosting and CDNUnited States
AsanaOptional outbound task routing when you connect AsanaUnited States
Atlassian (Jira Cloud)Optional outbound issue routing when you connect JiraUnited States
NotionOptional outbound page creation in a workspace database when Notion routing is enabledUnited States
ClickUpOptional outbound task creation when you connect ClickUpUnited States

This list is updated when subprocessors change. Customers with a DPA receive advance notice of changes per their agreement.

User-controlled inference

Advanced users may route extraction model calls to an HTTP endpoint they operate instead of Extraktr-managed providers. In that mode, request payloads are sent only to the URL you configure; they are not sent to OpenAI for that step. You are responsible for the security and privacy practices of that endpoint. This behavior is summarized in our Privacy Policy (Section 3) and aligns with the subprocessors list below for default processing only.

When you change processing mode or endpoint in account settings, the new choice applies to the next extraction request the product sends. A request that has already started keeps the mode and destination it began with until it completes.

Security FAQ

Do you store the conversations I paste in?
If you're not signed in, no — content is processed in memory and discarded immediately after extraction. Signed-in users can opt into extraction history, which is stored and can be deleted at any time.
Is my data sent to third parties?
When you use Extraktr-managed processing (the default), conversation content is sent to OpenAI's API for extraction processing. OpenAI's data usage policy prohibits training on API inputs. If you enable optional local processing in account settings, payloads are sent only to your chosen HTTP endpoint instead—we do not send that inference traffic to OpenAI. Other services (such as Google for sign-in) are described in our Privacy Policy.
Where is Extraktr hosted?
Our infrastructure runs on secure cloud platforms with data centers in the United States. All storage is encrypted at rest.
Can I request deletion of my data?
Yes. Signed-in users can delete their extraction history at any time. For complete account deletion or data export requests, contact privacy@extraktr.com.
Do you have SOC 2 compliance?
We are working toward SOC 2 Type II certification. In the meantime, we follow industry-standard security practices including encryption, access controls, and regular security reviews.

Have a security question?

If you have questions about our security practices, need a DPA, or want to report a vulnerability, contact our security team.

security@extraktr.comPrivacy Policy