ScholarPetition

Security

Last updated: 2026-05-15

This page is written for researchers, not procurement teams. If you're pasting a draft petition letter into a tool, you want to know exactly what happens to that text. The short version is below; the long version follows.

In one paragraph

Your evidence and drafts live in a Postgres database and a Cloudflare R2 bucket that nobody else can read. Drafting traffic goes to Anthropic's API, which by default does not use API inputs or outputs to train models. Sign-in uses a magic link, not a password. Database backups age out in 7 days; document versions in 30; account deletion is permanent once the backups roll off.

What we store

  • Account & workspace metadata — email, workspace name, role, invite tokens.
  • Scholar profile fields — what you typed into the profile page (name, institution, field of study, education and employment history, country of birth and nationality).
  • Publications and recommenders — entries you added or imported, including DOIs, citation counts, and recommender contact info.
  • Uploaded documents — your CV, citation reports, awards, grant letters, peer-review and editorial invitations. Anything you actually upload as evidence.
  • Generated drafts — petition cover letters and recommendation letters that the drafting service produces, plus the audit-log row that records when each was generated and from what evidence.

What we don't store

  • Passwords. Sign-in is magic-link only; there's no password to lose or reuse.
  • Card numbers. Payments (when present) go through Stripe; we receive a customer reference, never a raw PAN.
  • Your USCIS receipt or status. You file separately. We never see USCIS responses unless you choose to upload an RFE or decision for context.
  • Other scholars' data. Workspaces are isolated at the database row level; you cannot see another researcher's evidence, drafts, or recommenders, and they cannot see yours.

Where it lives

  • Database — managed Postgres (Neon, serverless tier), encrypted at rest by the provider, with 7-day point-in-time recovery.
  • Documents — Cloudflare R2 (S3-compatible), encrypted at rest, server-side. Versioning is enabled, so accidental deletes are reversible for 30 days before they age out.
  • Document download URLs — presigned and expire 15 minutes after we hand them to your browser, not long-lived shared links.
  • When you delete a workspace, the live row-level data is removed immediately. Database backups age out within 7 days; R2 versions age out within 30.

How it travels

  • All connections between your browser and the application are HTTPS. TLS 1.2 minimum.
  • Internal hops between the application and storage providers use the providers' own TLS-terminated endpoints.
  • Document downloads use short-lived presigned URLs, not long-lived shared links.

Drafting and the AI provider

When the product drafts a petition cover letter or a recommendation letter, the prompt — which contains the relevant slice of your evidence — is sent to Anthropic's Claude API. Per Anthropic's commercial terms, API inputs and outputs are not used to train Anthropic's models by default.

The drafting service streams the response back into your draft and records an audit-log row (timestamp, model, source evidence IDs) so you can see exactly what generated what.

Who can see your data

  • You, signed in.
  • Users you invite to your workspace, with the role you assigned them. (admin can do everything; viewer is read-only.)
  • An attorney you explicitly engage through the optional review tier — and only the data tied to that engagement.
  • ScholarPetition engineering staff, when debugging an issue you've reported, on a least-access basis. We log every such access against a ticket.
  • Nobody else. We don't sell, rent, or share data with marketing partners; we don't fingerprint researchers across products.

Sign-in

  • Magic-link only. You type your email, we send a single-use token, clicking the link exchanges it for an 8-hour session.
  • Token TTL. Magic link expires in 30 minutes; the resulting session JWT expires in 8 hours.
  • Brute-force protection. Sign-in requests are rate-limited per IP.
  • Session rotation. Operators can invalidate every existing session by rotating the JWT signing secret — you'd be asked to sign in again with a fresh link.

Deleting your data

From the application, you can delete individual publications, recommenders, drafts, and uploaded documents at any time. To delete an entire workspace, email hello@visagenius.io from the account address; we remove the row-level data immediately and the backups age out within 30 days. We will confirm the deletion in writing.

Reporting a vulnerability

If you've found a security issue, please email security@visagenius.io with a description and reproduction steps. We will acknowledge within two business days. We don't yet run a paid bug-bounty program; we'll credit anyone who reports a verified issue (with their permission) in the changelog.

What's not on this page yet

ScholarPetition is an early-stage product. We are not yet SOC 2-audited, ISO 27001-certified, or HIPAA-aligned (and we don't store health information, so HIPAA shouldn't apply). If your institution requires a vendor security review before you can use the product, email hello@visagenius.io and we'll walk through it.

This page describes controls in place as of the date above. If you spot something here that doesn't match what the product actually does, that's a security issue — please report it.