Security & Data Handling
Last updated: 2026-07-17
A sales export is one of the most sensitive files a parts business has. The business-mix analysis is built so that our servers never receive it. This isn't a policy promise — it's how the software is architected, and you can verify it from your own browser.
Analysis Happens in Your Browser
When you upload a CSV or Excel export, the file is parsed entirely in your browser — it is never uploaded. Column detection and mapping (part number, revenue, date, quantity, customer, condition) run client-side, and all revenue-weighting, trend, and customer-concentration math is computed on your machine. The enriched Excel download and the PDF export are also generated locally in your browser.
What Is Sent, What Isn't
- Bare part numbers only — deduplicated and normalized, sent in batches of up to 5,000 distinct part numbers (at most 50,000 per analysis) to be matched against the classified database.
- The raw file itself
- Revenue and prices
- Dates and quantities
- Customer names
The classification endpoint accepts a list of part numbers and returns classification data for them. It has no field for anything else.
Shared Snapshots Are Aggregates Only
Creating a shareable report link is opt-in (it requires entering your email). When you do, the aggregated report is uploaded so the link can be viewed — the platform/ATA/class breakdowns, match rates, and trend buckets, including revenue totals if your file had a revenue column. What is never uploaded:
- Raw rows.Snapshots store only the aggregated result — never your file or its line items. The snapshot payload is capped at 100 KB, a size a raw sales export wouldn't fit in.
- Customer names. Customer-level detail is stripped in your browser before the snapshot is sent, and the server additionally discards the customer field on any payload it receives — defense in depth.
Share links use a random, unguessable identifier. Anyone you give the link to can view that snapshot, so treat the link accordingly.
Infrastructure
- Hosting: Vercel (application and edge network).
- Database: Supabase (managed PostgreSQL) — stores the parts directory, opt-in emails, and aggregated shared snapshots. Never raw uploads.
- In transit: all traffic between your browser and the service is encrypted over TLS (HTTPS).
- API hygiene:classification requests are capped at 5,000 part numbers each, snapshot uploads are size-capped and rate-limited, and error responses are generic so internal details aren't leaked.
Standard server logs (IP address, user agent, request path) are kept by our hosting provider — see the Privacy Policy for details.
What We Don't Claim
We do not currently hold SOC 2 or ISO 27001 certification, and we don't make compliance claims we can't back. The security model here is simpler and stronger for this use case: the sensitive data never reaches us, so there is no copy of your sales data on our side to protect, breach, or subpoena.
Verify It Yourself
Open your browser's developer tools (Network tab) and run an analysis. You'll see requests to /api/classify containing only part numbers — no revenue, no dates, no customer names. We'd rather you check than take our word for it.
Reporting a Security Issue
Found a vulnerability or something that doesn't match what this page says? Email info@aeropartsintel.com. We take accuracy on this page as seriously as the fix.