Security

Last updated: June 15, 2026

Security is foundational to how we build and operate CitationWorks. This page summarizes the technical and organizational measures CitationWorks Inc. uses to protect your data. It is intended as a transparent overview and may evolve as our practices mature.

1. Payment Security

All payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. Card details are transmitted directly to Stripe and are never stored on our servers; we retain only limited, non-sensitive billing metadata (such as subscription status and the last four digits of a card) needed to manage your account. This means sensitive cardholder data stays within Stripe's PCI-compliant environment.

2. Encryption

  • In transit:all traffic to and from the Services is encrypted using TLS (HTTPS).
  • At rest:data is stored on managed infrastructure that encrypts data at rest using industry-standard algorithms.

3. Infrastructure & Hosting

The Services run on reputable cloud infrastructure providers with robust physical and network security, redundancy, and continuous monitoring. Our database and application layers are isolated, and access to production systems is restricted and logged.

4. Access Controls

We follow the principle of least privilege. Access to production systems and customer data is limited to authorized personnel who need it to operate the Services, protected by strong authentication. Account sign-in is secured, and we encourage you to use strong, unique credentials.

5. Data Protection & Retention

We collect only the data needed to provide the Services and retain it only as long as necessary, consistent with our Privacy Policy. Customer data is logically separated by account, and we take measures to prevent unauthorized access, disclosure, or loss.

6. Sub-Processors

We rely on vetted third-party sub-processors, including Stripe (payments), cloud hosting and database providers, email delivery providers, and AI/large language model providers, each bound by confidentiality and data-protection obligations. We do not sell customer data.

7. Monitoring & Resilience

We monitor our systems for availability, errors, and suspicious activity, and rely on managed infrastructure with backups and redundancy to support recovery in the event of disruption. We apply security updates to our dependencies on an ongoing basis.

8. Incident Response

We maintain processes to detect, investigate, and respond to security incidents. In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.

9. Your Responsibilities

Security is a shared responsibility. Please keep your credentials confidential, use a strong password, ensure people in your organization only have the access they need, and notify us immediately if you suspect unauthorized access to your account.

10. Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please email us at security@citationworks.com with details so we can investigate. We ask that you give us a reasonable opportunity to remediate before any public disclosure and that you avoid accessing or modifying other users' data during your research.

11. Contact

For any security questions, contact security@citationworks.com.

CitationWorks Inc.
Shibuya, Tokyo, Japan