Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.shareofmodel.ai/llms.txt

Use this file to discover all available pages before exploring further.

What we collect

The scope of data collection depends on the type of user.
User typeData collected
Platform usersEmail address, first name and last name only. Authentication is managed via Auth0 authentication standards.
End usersNo personally identifiable customer data (PII) is collected for analytics or CRM. We collect data from LLM models, not end users.

Data storage and security

All collected data is stored in EU data centres, behind multiple layers of security.

Restricted access

Data is not exposed to the internet. Access goes through private networks and an encrypted VPN under a least-privilege model.

Encryption standards

Data in transit uses TLS 1.3. Access is governed by short-lived JWTs and fine-grained role-based access control (RBAC).

Web Application Firewall

All API endpoints sit behind a WAF for an extra layer of defence.

ISO 27001 / SOC 2

Continuous compliance with ISO 27001 and SOC 2 Type II.

AI model providers

Share Of Model integrates with the APIs of the leading LLM providers. As of February 18, supported providers are:
  • OpenAI
  • Gemini
  • Llama
  • Anthropic
  • Deepseek
  • Perplexity
We continuously assess and update our model offerings.

Up-to-date list of models

Browse current models, status and release dates.

Connection security

  • Encryption — all data in transit uses TLS 1.2 / 1.3.
  • Authentication — connections use OAuth 2.0 and API keys.
All connections to LLM providers are encrypted and secure.

Certifications and assessments

  • ISO 27001 — best practices in information security management.
  • SOC 2 Type II — independently validated security controls and operational practices.
  • Weekly penetration tests — performed using Acunetix to surface and fix vulnerabilities proactively.

Brand and Search modules — privacy and retention

For the Brand and Search modules, no client data is stored on the platform aside from the user metadata listed above (email, first/last name). The data used in analysis comes from publicly available outputs returned by LLMs during analysis runs. You retain control over which models are used — pick or exclude specific LLMs when launching an analysis.
No confidential or proprietary client data is ever shared with third-party model providers. We have contracts with all providers enforcing strict non-retention clauses.
ProviderRetention
AnthropicUp to 30 days
OpenAI (ChatGPT)Up to 30 days
Meta LLaMAZero retention
Google GeminiZero retention
All providers are contractually bound not to use any data from our platform for model training.

Asset Evaluation — privacy and retention

Unlike the Brand and Search modules, Asset Evaluation stores client-submitted content: media files (images, videos) and textual inputs.
All stored data is treated as strictly confidential and is automatically and permanently deleted in two cases:
  • On contract termination, all associated data is fully and irreversibly removed.
  • At any time, you can delete specific content directly from the interface — triggering immediate, permanent deletion.
We never share client-submitted content with third parties, and no data is used to train AI models. Storage uses a cloud provider certified under ISO/IEC 27001. When you connect Google Ads or TikTok Ads, Share Of Model uses industry-standard protocols and encryption to keep credentials and tokens secure.

Secure authentication via OAuth 2.0

Connections rely on OAuth 2.0 — the industry standard for delegated access.
  • You never share your credentials (email, password) with Jellyfish.
  • Authentication occurs directly via Google or TikTok authorisation pages.
  • The platform receives a secure access token (and optionally a refresh token), enabling limited and revocable access to authorised resources.
OAuth exchanges happen over HTTPS, encrypting the communication in transit.

Token encryption with Google Cloud KMS

Once received, OAuth tokens are encrypted at rest with Google Cloud KMS.
  • AES-256 encryption.
  • HSM-backed keys (tamper-resistant hardware).
  • Strict access control — only the minimal set of authorised backend services can decrypt tokens.
  • Audit logging — every key use is logged and monitored.

Regular key rotation

Encryption keys rotate automatically on a scheduled basis aligned with internal compliance standards. This minimises the impact of any key compromise and ensures older keys are securely retired.

Least-privilege access

Token and KMS access follow the principle of least privilege:
  • only specific backend services request decryption,
  • internal users (including admins) cannot view or export tokens,
  • all actions are governed by strict IAM policies.

Summary

AspectMechanism
AuthenticationOAuth 2.0 (delegated access)
Data in transitHTTPS encryption
Data at restAES-256 via Google Cloud KMS
Key managementAutomated rotation + audit logs
Access controlStrict IAM, least privilege
MonitoringContinuous security monitoring and alerting
When you connect Google Ads or TikTok Ads, your credentials are never stored or visible to Jellyfish. Tokens are encrypted, protected by hardware-secured keys, rotated regularly, and accessible only through tightly controlled systems.

Subprocessors

Updated 2025-11-12.
SubprocessorPurpose
AnthropicAI/ML services
OpenAI, L.L.CAI/ML services
Google LLC (Google Cloud Platform)Cloud infrastructure (compute, storage, networking)
Cloudflare, Inc.Cloud infrastructure (CDN, hosting, DDoS protection, WAF)
SentryApplication monitoring and error tracking
HotjarApplication monitoring and error tracking
MailjetEmail delivery and transactional communications
PerplexityAI/ML services
WasabiCloud object storage
IntercomCustomer support

What’s next

Security & Compliance

The full security overview.

SLA & SLO

Availability commitments and recovery objectives.