Security

Customer data is stored in the European Union, on Google Cloud Platform infrastructure. Sebtember is operated by Mondas Ltd., a Lithuanian company registered with the State Data Protection Inspectorate of Lithuania (No. P7140).

Sebtember uses Google's Gemini API for inference. Per Google Cloud's enterprise terms (which Sebtember inherits), customer prompts and uploaded content are notused to train Google's AI models. Your documents stay yours.

• AES-256 at rest on Google Cloud Storage and Firestore.
• TLS 1.2+ in transit between every service boundary.
• Documents are stripped of human-readable text on ingest and stored as vector embeddings. The original file is encrypted at rest; the indexed representation cannot be reconstructed back into readable prose.

Sebtember organizes content into Catalogues. Each Catalogue has an admin who decides which members and clients can access it. Access is granted by single-use invitation tokens, which can be paused, revoked, or scoped to a limited time window. Invited users can never see the Catalogue's file list directly — they interact with the content only through cited AI answers.

Catalogue admins can delete a Catalogue at any time. Deletion permanently removes every file, every embedded vector, and every chat history attached to that Catalogue. There are no backups, no recovery, and no exceptions. Deleting your account triggers the same cascade across every Catalogue you own.

Sebtember relies on a small list of sub-processors to deliver the service:

• Google Cloud Platform — hosting, storage, compute, Firestore, and the Gemini API. EU regions.
• Vercel — hosting the marketing site and Next.js application edge.
• Stripe — payment processing for token top-ups. Stripe handles all card data; Sebtember never sees raw card numbers.

We do not use third-party analytics, advertising pixels, or behavioural trackers on any Sebtember surface — public or authenticated.

Sebtember runs entirely on Google Cloud Platform, which itself maintains the following certifications. Sebtember inherits these infrastructure controls but does not hold the certifications itself as a product:

• SOC 1 / ISAE 3402, SOC 2, SOC 3
• FedRAMP
• PCI DSS Level 1
• ISO 27001 / 27017 / 27018

EU users have the right to access, correct, delete, and export their personal data. The deletion mechanism is built into the product (see kill switch). Other rights are exercised by emailing hello@sebtember.app.

If you believe you have found a security vulnerability in Sebtember, please email hello@sebtember.app with the subject line "Security report". We respond to verified reports within 72 hours.