Security

Last updated: May 2026

Note Ticker handles confidential client documents. This page summarises how we protect that data, who has access to it, and how long it is retained. A more detailed technical memorandum is available on request for firms conducting formal vendor evaluations.

How data is transmitted and stored

• HTTPS everywhere. All traffic to noteticker.com is served over HTTPS. The application redirects HTTP to HTTPS and sends HSTS headers instructing browsers to use HTTPS for future requests.
• Hosted on Railway. The application and its data are hosted on Railway, with SSL certificates handled at the Railway edge.
• Private storage. Uploaded source documents and generated Excel reviews are stored in a private, persistent volume attached to the application. They are accessible only through the access-controlled firm dashboard.

Access and authentication

• One-time PIN sign-in. Note Ticker does not store passwords. Access to a firm's dashboard is granted via a six-digit code sent to the user's registered email address. Codes are single-use, time-bound (30 minutes), rate-limited, and locked after five failed attempts.
• Firm-level dashboards. Each firm has a separate, access-controlled dashboard. Firms may grant colleagues access by adding their email under the Team Members section.
• Administrator access. The founder retains administrator access for the purposes of customer support, quality review and maintenance.

Retention and deletion

• 30-day retention. Source documents and generated Excel reviews are retained on the firm's dashboard for 30 days from the date of analysis. After that, the application's cleanup process removes the stored files and marks the analysis as expired.
• Limited metadata retained. For account administration, billing and audit-trail purposes, Note Ticker retains limited metadata such as firm name, user email, analysis type, analysis date, token usage and file names. This metadata is distinct from source documents and Excel review files.

How emails are handled

• Notification-only emails for paid firm analyses. When a paid firm analysis is complete, Note Ticker sends a notification email confirming that the review is ready. The Excel output and the uploaded source documents are not attached. Users access the output by signing in to the firm's dashboard.
• SOC 2 Type II email provider. Note Ticker uses Resend, a SOC 2 Type II compliant provider, for transactional email. Resend states that all datastores are encrypted at rest and TLS 1.3 or higher is used for data in transit.
• Free trial flow is different. For users running an analysis through the free trial (rather than a registered firm dashboard), the source documents and Excel output are sent to the user by email, because there is no dashboard to deliver them to. Firms with security concerns about the free trial flow should sign up for a firm account and use the dashboard.

How Anthropic's API is used

Note Ticker uses Anthropic's API to perform parts of the analysis. Anthropic publishes the following commercial terms which are relevant to firm evaluations:

• No model training on inputs. Anthropic states that, by default, inputs and outputs from its commercial products (including the Anthropic API) are not used to train its models.
• 30-day deletion on Anthropic's backend. Anthropic states that inputs and outputs are automatically deleted from its backend within 30 days of receipt or generation, subject to limited exceptions (such as compliance with law).

References: Anthropic on model training and Anthropic on data retention.

Optional client-side redaction

Where firms wish to redact information before transmission, Note Ticker provides an optional in-browser redaction tool. The user uploads the draft AFS, selects areas of the PDF to redact, previews what the AI will receive, and only the redacted version is then sent for processing.

Application-level security measures

The application enforces standard web application security controls including HTTPS redirection and HSTS, cookie hardening, rate limiting, and frame-busting headers.

Current limitations

Note Ticker is not currently SOC 2 or ISO 27001 certified. These certifications are appropriate at a more mature stage of the business and will be pursued as the customer base scales. In the meantime, Note Ticker uses commercially-recognised infrastructure providers that themselves operate under SOC 2 controls (Railway, Resend, Anthropic), and the application enforces the security measures described above.

Note Ticker is a tool, not a substitute for audit judgment

Note Ticker is designed to assist auditors with the mechanical verification and comparison work undertaken during the finalisation stage of an audit. The output should be regarded as a useful first draft, not the end product. Audit teams must apply professional scepticism in reviewing the output. Please refer to our Terms of Use for the full description of what Note Ticker does and does not do.

Vendor evaluation and detailed enquiries

If your firm is conducting a formal vendor evaluation, or if your IT or risk function requires more detail than is set out on this page, please get in touch. A detailed technical memorandum covering data handling, architecture, accuracy controls and recommended evaluation approaches is available on request.

Contact: hello@noteticker.com