Security
Last updated: June 15, 2026
Security is foundational to how we build and operate CitationWorks. This page summarizes the technical and organizational measures CitationWorks Inc. uses to protect your data. It is intended as a transparent overview and may evolve as our practices mature.
1. Payment Security
All payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. Card details are transmitted directly to Stripe and are never stored on our servers; we retain only limited, non-sensitive billing metadata (such as subscription status and the last four digits of a card) needed to manage your account. This means sensitive cardholder data stays within Stripe's PCI-compliant environment.
2. Encryption
- In transit: — all traffic to and from the Services is encrypted using TLS (HTTPS).
- At rest: — data is stored on managed infrastructure that encrypts data at rest using industry-standard algorithms.
3. Infrastructure & Hosting
The Services run on reputable cloud infrastructure providers with robust physical and network security, redundancy, and continuous monitoring. Our database and application layers are isolated, and access to production systems is restricted and logged.
4. Access Controls
We follow the principle of least privilege. Access to production systems and customer data is limited to authorized personnel who need it to operate the Services, protected by strong authentication. Account sign-in is secured, and we encourage you to use strong, unique credentials.
5. Data Protection & Retention
We collect only the data needed to provide the Services and retain it only as long as necessary, consistent with our Privacy Policy. Customer data is logically separated by account, and we take measures to prevent unauthorized access, disclosure, or loss.
6. Sub-Processors
We rely on vetted third-party sub-processors, including Stripe (payments), cloud hosting and database providers, email delivery providers, and AI/large language model providers, each bound by confidentiality and data-protection obligations. We do not sell customer data.
7. Monitoring & Resilience
We monitor our systems for availability, errors, and suspicious activity, and rely on managed infrastructure with backups and redundancy to support recovery in the event of disruption. We apply security updates to our dependencies on an ongoing basis.
8. Incident Response
We maintain processes to detect, investigate, and respond to security incidents. In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.
9. Your Responsibilities
Security is a shared responsibility. Please keep your credentials confidential, use a strong password, ensure people in your organization only have the access they need, and notify us immediately if you suspect unauthorized access to your account.
10. Responsible Disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please email us at security@citationworks.com with details so we can investigate. We ask that you give us a reasonable opportunity to remediate before any public disclosure and that you avoid accessing or modifying other users' data during your research.
11. Contact
For any security questions, contact security@citationworks.com.
CitationWorks Inc.
Shibuya, Tokyo, Japan