> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shareofmodel.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Collection & Compliance

> What Share Of Model collects, how it stores it, and how compliance is enforced end to end.

## What we collect

The scope of data collection depends on the type of user.

| User type          | Data collected                                                                                                                        |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
| **Platform users** | Email address, first name and last name only. Authentication is managed via **Auth0** authentication standards.                       |
| **End users**      | No personally identifiable customer data (PII) is collected for analytics or CRM. We collect data from **LLM models**, not end users. |

## Data storage and security

All collected data is stored in **EU data centres**, behind multiple layers of security.

<CardGroup cols={2}>
  <Card title="Restricted access" icon="lock">
    Data is not exposed to the internet. Access goes through private networks and an encrypted VPN under a least-privilege model.
  </Card>

  <Card title="Encryption standards" icon="shield">
    Data in transit uses **TLS 1.3**. Access is governed by short-lived JWTs and fine-grained role-based access control (RBAC).
  </Card>

  <Card title="Web Application Firewall" icon="firewall">
    All API endpoints sit behind a WAF for an extra layer of defence.
  </Card>

  <Card title="ISO 27001 / SOC 2" icon="award">
    Continuous compliance with ISO 27001 and SOC 2 Type II.
  </Card>
</CardGroup>

## AI model providers

Share Of Model integrates with the APIs of the leading LLM providers. As of February 18, supported providers are:

* OpenAI
* Gemini
* Llama
* Anthropic
* Deepseek
* Perplexity

We continuously assess and update our model offerings.

<Card title="Up-to-date list of models" icon="microchip" href="/platform/getting-started/models-list-of-llms-models-apis">
  Browse current models, status and release dates.
</Card>

### Connection security

* **Encryption** — all data in transit uses TLS 1.2 / 1.3.
* **Authentication** — connections use OAuth 2.0 and API keys.

<Note>
  All connections to LLM providers are encrypted and secure.
</Note>

## Certifications and assessments

* **ISO 27001** — best practices in information security management.
* **SOC 2 Type II** — independently validated security controls and operational practices.
* **Weekly penetration tests** — performed using Acunetix to surface and fix vulnerabilities proactively.

## Brand and Search modules — privacy and retention

For the Brand and Search modules, **no client data is stored** on the platform aside from the user metadata listed above (email, first/last name). The data used in analysis comes from publicly available outputs returned by LLMs during analysis runs.

You retain control over which models are used — pick or exclude specific LLMs when launching an analysis.

<Note>
  No confidential or proprietary client data is ever shared with third-party model providers. We have contracts with all providers enforcing strict non-retention clauses.
</Note>

| Provider         | Retention      |
| ---------------- | -------------- |
| Anthropic        | Up to 30 days  |
| OpenAI (ChatGPT) | Up to 30 days  |
| Meta LLaMA       | Zero retention |
| Google Gemini    | Zero retention |

All providers are contractually bound **not to use any data from our platform for model training**.

## Asset Evaluation — privacy and retention

Unlike the Brand and Search modules, **Asset Evaluation stores client-submitted content**: media files (images, videos) and textual inputs.

<Note>
  All stored data is treated as strictly confidential and is automatically and permanently deleted in two cases:

  * On **contract termination**, all associated data is fully and irreversibly removed.
  * **At any time**, you can delete specific content directly from the interface — triggering immediate, permanent deletion.
</Note>

We never share client-submitted content with third parties, and no data is used to train AI models. Storage uses a cloud provider certified under **ISO/IEC 27001**.

## Google Ads & TikTok integrations

When you connect Google Ads or TikTok Ads, Share Of Model uses industry-standard protocols and encryption to keep credentials and tokens secure.

### Secure authentication via OAuth 2.0

Connections rely on **OAuth 2.0** — the industry standard for delegated access.

* You never share your credentials (email, password) with Jellyfish.
* Authentication occurs directly via Google or TikTok authorisation pages.
* The platform receives a secure access token (and optionally a refresh token), enabling limited and revocable access to authorised resources.

OAuth exchanges happen over **HTTPS**, encrypting the communication in transit.

### Token encryption with Google Cloud KMS

Once received, OAuth tokens are encrypted at rest with **Google Cloud KMS**.

* **AES-256** encryption.
* **HSM-backed** keys (tamper-resistant hardware).
* **Strict access control** — only the minimal set of authorised backend services can decrypt tokens.
* **Audit logging** — every key use is logged and monitored.

### Regular key rotation

Encryption keys rotate automatically on a scheduled basis aligned with internal compliance standards. This minimises the impact of any key compromise and ensures older keys are securely retired.

### Least-privilege access

Token and KMS access follow the principle of least privilege:

* only specific backend services request decryption,
* internal users (including admins) cannot view or export tokens,
* all actions are governed by strict IAM policies.

### Summary

| Aspect          | Mechanism                                   |
| --------------- | ------------------------------------------- |
| Authentication  | OAuth 2.0 (delegated access)                |
| Data in transit | HTTPS encryption                            |
| Data at rest    | AES-256 via Google Cloud KMS                |
| Key management  | Automated rotation + audit logs             |
| Access control  | Strict IAM, least privilege                 |
| Monitoring      | Continuous security monitoring and alerting |

<Tip>
  When you connect Google Ads or TikTok Ads, your credentials are never stored or visible to Jellyfish. Tokens are encrypted, protected by hardware-secured keys, rotated regularly, and accessible only through tightly controlled systems.
</Tip>

## Subprocessors

*Updated 2025-11-12.*

| Subprocessor                       | Purpose                                                   |
| ---------------------------------- | --------------------------------------------------------- |
| Anthropic                          | AI/ML services                                            |
| OpenAI, L.L.C                      | AI/ML services                                            |
| Google LLC (Google Cloud Platform) | Cloud infrastructure (compute, storage, networking)       |
| Cloudflare, Inc.                   | Cloud infrastructure (CDN, hosting, DDoS protection, WAF) |
| Sentry                             | Application monitoring and error tracking                 |
| Hotjar                             | Application monitoring and error tracking                 |
| Mailjet                            | Email delivery and transactional communications           |
| Perplexity                         | AI/ML services                                            |
| Wasabi                             | Cloud object storage                                      |
| Intercom                           | Customer support                                          |

## What's next

<CardGroup cols={2}>
  <Card title="Security & Compliance" icon="shield-halved" href="/platform/getting-started/understanding-security-and-compliance-in-share-of-model-platform">
    The full security overview.
  </Card>

  <Card title="SLA & SLO" icon="gauge-high" href="/platform/getting-started/sla-slo-engagement">
    Availability commitments and recovery objectives.
  </Card>
</CardGroup>
