Security.

Itemic runs on Google Cloud / Firebase with TLS-only transport, IAM scoped to least privilege, and Firestore security rules that enforce per-org isolation. API keys are stored hashed; Index data served to clients is anonymised aggregate only. Billing is handled by Stripe and never touches our infrastructure.

We accept responsible-disclosure reports for any vulnerability in the API or web surfaces. Please email security@itemic.us with a description and reproduction steps; do not publicly disclose before we have had a reasonable chance to remediate.

Formal compliance attestations (SOC 2, ISO 27001) are on the roadmap as the customer base scales. Contact us for a current security review if you are evaluating Itemic for an enterprise deployment.

This is a v0.1 summary. A more detailed whitepaper is in preparation.