Trust and Security
Last updated 7 July 2026. Debiaser.ai is operated by Global Diversity Practice Ltd.
Global Diversity Practice Limited is registered in England and Wales, company no. 06894073. Registered office: 37 Nab Lane, Shipley, BD18 4HQ, United Kingdom. VAT: GB 976147190.
Data hosting and retention
Debiaser.ai stores application data and uploaded files in Convex, hosted in AWS eu-west-1. Uploaded documents, extracted text, model outputs, reports and revised documents are deleted from active service storage 7 days after a review completes. Failed reviews and abandoned drafts also receive deletion deadlines and are covered by the same purge jobs.
Billing metadata and ledger records are retained where required for accounting, tax and fraud-prevention purposes. Infrastructure-provider backups may persist for a limited period under each provider's backup-retention controls.
AI transparency
Reviews are produced with Anthropic Claude. The service provides advisory document review only: it does not make automated decisions about individuals, does not profile candidates or employees, and does not rank or score people. A human should review all recommendations before publication or action.
The product is designed to identify unnecessary wording barriers while preserving genuine role, safety, legal and performance requirements. It is not intended to recommend preferential treatment, quotas or demographic targets.
Customer content is never used by Debiaser.ai to train AI models.
Subprocessors
| Provider / entity | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Convex Convex, Inc. | Backend, database and file storage | EU — AWS eu-west-1 (primary application data) | Application data is hosted in the EU. Provider data-processing terms incorporate the EU Standard Contractual Clauses (2021/914) with the UK Addendum for any residual transfer (for example US-based support access). |
| Anthropic Anthropic, PBC | AI analysis of submitted document content | United States | Anthropic Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. API inputs and outputs are not used to train models; Anthropic may retain API data for up to 30 days for trust-and-safety purposes. |
| Vercel Vercel Inc. | Web application hosting and edge delivery | Global edge network; server functions pinned to London (lhr1) | Vercel Data Processing Agreement incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. |
| Stripe Stripe Payments Europe, Ltd. and affiliates | Payments, tax calculation, invoices and receipts | Global payment infrastructure | Stripe Data Processing Agreement incorporating Standard Contractual Clauses and the UK Addendum. Stripe is the sole holder of card details and acts as an independent controller for certain payment, fraud-prevention and regulatory data under its own privacy terms. |
| Resend Resend (resend.com) | Transactional email: sign-in codes, receipts and service notices | United States / global email delivery | Resend Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. Resend delivers mail through Amazon Web Services (Amazon SES, EU region endpoints) as its infrastructure sub-provider. |
| Cloudflare Cloudflare, Inc. | Turnstile bot protection for trial-credit claims | Global security network | Cloudflare Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. Turnstile processes a security token and connection metadata only. |
| Sentry Functional Software, Inc. (Sentry) | Error and performance diagnostics for the application | United States | Sentry Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. Sentry is configured not to send personal data by default (sendDefaultPii disabled); it receives technical error diagnostics, not submitted documents. |
Application data is hosted in the EU; EEA–UK flows are covered by the European Commission’s adequacy decisions for the UK (renewed December 2025, in force to December 2031). Restricted transfers outside the UK/EEA rely on the safeguard listed per provider above. Material subprocessor changes are posted here, and customers with a signed DPA receive at least 30 days’ advance notice with a right to object as set out in the DPA.
Data processing agreements
Organisation admins can execute our standard DPA electronically from the organisation page: enter your organisation’s particulars, review the completed agreement, sign, and Global Diversity Practice countersigns. Both parties receive the executed copy for download. The standard terms are published here for procurement review; a separately negotiated agreement, where agreed, takes precedence.
Security model
Application controls
- Passwordless email sign-in; no passwords are stored by Debiaser.ai.
- All access to user content is mediated by authenticated server functions.
- File download URLs are short-lived and signed.
- Traffic is encrypted in transit; provider-managed storage is encrypted at rest.
- Rate limits protect auth, trial claims, task creation, uploads and payments.
Prompt-injection hardening
The analysis model receives no tools, no database access and no network access. Submitted documents are escaped and framed as untrusted data, a scope guard rejects clear non-workplace abuse, and model output must match a strict structured schema before it is saved.
Incident response and breach notification
We investigate suspected security incidents promptly. For customer content — where we act as processor — we notify the affected customer without undue delay after becoming aware of a personal data breach, with the information needed for the customer’s own UK GDPR Article 33/34 assessment, and we assist with those obligations. For data where we are controller (such as account and billing data), we notify the ICO within 72 hours where Article 33 requires it, and affected individuals where Article 34 requires it.
Vulnerability disclosure
For product support and security reports, contact waseem.ilyas@globaldiversitypractice.com; for data-protection matters, use data@globaldiversitypractice.com. Please include enough detail to reproduce the issue. We aim to acknowledge security reports within 3 business days. A machine-readable security contact is available at /.well-known/security.txt.
Certification status
Debiaser.ai does not currently hold SOC 2 or ISO 27001 certification. These are on the roadmap as the product matures for larger enterprise deployments.