Where your submittal data lives, and who can see it.

What we collect

Three categories, all customer-initiated.

• Spec section. The Construction Specifications Institute (CSI) Division 09 section that applies to a given submittal (5-50 pages, not a full spec book). Uploaded as a single PDF, Markdown (.md), or plain-text (.txt) file up to 100 megabytes.
• Subcontractor submittal package. The submittal package the sub provided you, combined per side before upload (cut sheets, certifications, samples, warranty data, installation details). Same format and size limits as the spec.
• Order and account metadata. Work email, optional company, the tier you purchased, filenames, file sizes, processing timestamps, your account ID, and the resulting deviation report and basic verdict metadata. If you contact us through the form, we also collect first name, last name, optional company, the subject of the inquiry, and your message.

Every upload is validated by content sniffing: we read the file's first bytes to confirm the file matches the declared type (a file named .pdf must actually begin with the PDF magic-byte signature). Files that fail this check are rejected before any processing occurs. Uploads are rate-limited per account and per Internet Protocol (IP) address; limits are enforced server-side.

We log a SHA-256 fingerprint of each uploaded file for fraud detection. The hash is retained after the source file itself is deleted, so we can detect the same file being submitted by different accounts. The hash alone cannot reconstruct the document.

Where the data lives

Cloudflare object storage, United States region. Every uploaded file lands in a Cloudflare-hosted, US-resident object store under a per-account prefix. Encrypted at rest by the storage backend and in transit (HyperText Transfer Protocol Secure, HTTPS, with Transport Layer Security 1.3) to our Application Programming Interface (API) at api.deviationcheck.com.

Order and account metadata. Stored alongside customer files in the same US-resident object store, partitioned by account. Same encryption posture.

AI processing transit. When a review runs, the spec section and submittal are forwarded to our Large Language Model (LLM) processor (Anthropic) over their commercial Application Programming Interface (API) for the duration of the review only. We do not render uploaded documents in a browser context on our infrastructure; the only place document content is opened is the LLM call itself.

Email transit. Transactional and outbound emails (order confirmations, report-ready notifications, contact-form replies) are sent through Resend on a verified Deviation Check sub-domain. We do not include spec content, submittal content, or generated reports in email bodies; emails contain account references and links into the Site.

Customer Relationship Management (CRM). Contact-form submissions and deal records are stored in HubSpot. We never put spec content, submittal content, or generated reports into the CRM; HubSpot holds contact details, account, and deal records only.

Payments. Stripe processes invoices and checkout. We never see or store your full card number; Stripe handles that. No spec content, submittal content, or generated reports transit Stripe.

Who has access

• Aliso LLC personnel with scoped, audit-engagement access. Today this is the founder. Access to production storage is multi-factor authenticated and access events are logged.
• You. Your account is the canonical surface for retrieving reports. Reports are available for the retention window described below.
• Cloudflare, as our infrastructure subprocessor: hosts the Site, runs the API at api.deviationcheck.com, and provides Turnstile bot protection on the Contact form.
• Anthropic, as our AI processing subprocessor: receives the spec and submittal text for the duration of a review through Anthropic's commercial API. As of the date this page was last reviewed, Anthropic states that content submitted through its commercial API is not used to train foundation models.
• Stripe, as our payment subprocessor: payment metadata only; never spec content, submittal content, or generated reports.
• HubSpot, as our Customer Relationship Management (CRM) subprocessor: contact details and deal records only; never spec content, submittal content, or generated reports.
• Resend, as our email-delivery subprocessor: email content only; never spec content, submittal content, or generated reports.

The full subprocessor list and binding terms live in the Privacy Policy and Terms of Service.

What we never do

• We never train artificial intelligence (AI) models on your data. Spec sections, submittal packages, and generated reports are not used to train, fine-tune, evaluate, or otherwise improve any model owned by Aliso LLC. Our LLM processor (Anthropic) similarly states that commercial-API content is not used to train its foundation models; if that vendor position changes materially, we update this page and the Privacy Policy.
• We never sell or rent your data. Not for analytics, not for marketing, not for any commercial purpose. We do not run advertising networks. We do not embed third-party widgets on the Site.
• We never auto-decide a submittal. The Service is AI-assisted, not AI-decided. Every report includes a Project Manager (PM) sign-off line. The PM remains responsible for final approval and sign-off on every submittal. The Service does not replace PM, Architect, or Engineer judgment; it is intended to identify potential deviations for human review.
• We never transit spec, submittal, or report content through email. Emails contain account references and links into the Site. The documents stay in storage.
• We never store your data outside the United States. Our object storage is US-resident. Our subprocessors are governed by their own privacy policies; we do not knowingly route customer Content through non-US regions.
• We never run behavioral analytics, visitor profiling, or marketing pixels on the Site. No Google Analytics, no Fathom, no retargeting pixels, no third-party ad networks, no fingerprinting libraries. The public marketing pages load Plausible for cookieless aggregate analytics (pageviews and a small number of named conversion events; no cookies set, no Internet Protocol address retention, no cross-site or cross-device tracking, no data shared with advertising networks). The Contact form loads Cloudflare Turnstile for bot protection. Nothing else third-party loads on the Site.
• We never render uploaded documents in our application. Files are forwarded only to the LLM processor for analysis. They are not opened in a browser context on our infrastructure.

How long we keep it

Source files (your spec and submittal documents). Removed from active systems within 7 days of report generation, regardless of subscription tier. Backup copies are removed per the backup lifecycle schedule (typically within 30 days).

Reports (the deviation reports we generate).

• Per-submittal (pay-as-you-go) accounts: reports retained for 30 days from generation. Export anytime within that window.
• Project and Firm Suite (subscription) accounts: reports retained for the duration of your active subscription plus 30 days after cancellation. Export anytime during that window.
• After the applicable window, reports are removed from active systems; backup copies are removed per the backup lifecycle schedule. There is no opt-in to extend.

Account, contact, and Customer Relationship Management (CRM) records. Retained while your relationship with Deviation Check is active. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out.

Email correspondence. Retained in our email-delivery service's logs and our mail provider's archive while the relationship is active. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out.

Paid invoices and tax records. Retained for 7 years as required by United States tax and accounting law. Deletion of paid-invoice records during this period is not possible.

Deletion requests covered by California's Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable state privacy laws are routed through the contact form or as described in the Privacy Policy.

If something goes wrong

Breach notification commitment. If we confirm an incident of unauthorized access, loss, or disclosure of personal information or Customer Content (the spec sections, submittals, or reports you uploaded), we will notify affected customers without undue delay. The notification will describe the nature of the incident, the data categories involved, our containment steps, and any action we recommend you take. Where state breach-notification statutes apply (for example, California Civil Code section 1798.82), we will comply with the timing and content requirements of those statutes.

How to report a suspected incident or vulnerability. Use the contact form with subject "SECURITY". We commit to acknowledging within one business day and substantively responding within five business days. Please do not include exploit details or sensitive Customer Content in the initial message; we will coordinate a secure channel for follow-up if needed.

No security program eliminates risk. No method of transmission over the public Internet and no method of electronic storage is 100 percent secure; we cannot guarantee absolute security against unauthorized access, interception, or disclosure.

Compliance posture, honestly

Here is what we have and what we do not.

• Service Organization Control 2 (SOC 2): not currently certified. If your procurement requires a SOC 2 report or a security questionnaire, contact us through the form with subject "SECURITY"; we can provide subprocessor lists and security questionnaire responses as an interim.
• International Organization for Standardization (ISO) 27001: not currently certified.
• General Data Protection Regulation (GDPR), European Union (EU) and United Kingdom (UK): the Site and Service are intended for a United States business audience and we do not actively market to or target EU or UK residents. Where GDPR or UK GDPR nonetheless applies, we honor the lawful bases and data-subject rights described in the Privacy Policy.
• State privacy laws (California's CCPA / CPRA, Virginia's VCDPA, Colorado's CPA, and similar): we honor data-subject access, rectification, deletion, portability, and objection requests through the routing described in the Privacy Policy.
• Health Insurance Portability and Accountability Act (HIPAA): not applicable. We do not collect, store, or process Protected Health Information (PHI). Do not upload patient data; the Service only needs CSI spec sections and submittal packages.
• Domain expertise vs legal compliance. Our domain is AI-assisted construction submittal review, not regulated information security or privacy law. The commitments on this page describe what we do; the binding versions are the Privacy Policy and Terms of Service. If your firm needs a specific certification or contractual representation we have not made here, ask through the form and we will tell you whether we can support it.

How to verify these claims

Three ways to confirm what is on this page.

1. Read the Terms of Service and Privacy Policy. Both are accepted on use of the Site and Service and are the binding versions of these commitments. If something on this page differs from those documents, the legal documents govern.
2. Ask a security or procurement question. Use the contact form with subject "SECURITY" and we will respond inside one business day to acknowledge and within five business days substantively.
3. Inspect the Site posture in your browser. The Site ships a strict Content Security Policy (CSP), HyperText Strict Transport Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and a restrictive Permissions-Policy. You can verify these in browser DevTools or with any HTTP header inspector.

This page is a public commitment. We update it as our infrastructure changes; the date below shows when it was last reviewed.

Last reviewed: May 10, 2026.