hey cass.

security & data practices

built for agencies that answer to the public.

Your evaluators, your counsel, and your records custodian all get a straight answer here. This page is written to be printed and put in the file.

Your inputs never train AI models

Customer inputs are not used to train the underlying AI models. Conversations are retained to operate the service, support safety, and improve reliability — never resold, never used for model training.

No PII or PHI stored by design

Cass works from role descriptions, not names. When a user pastes identifying details, drafts are written without propagating them, and the after-action record is written for the public record. Personal health information has no place in the product and none is stored.

A human approves every word

Nothing auto-fires. Every statement, release, alert, and social post requires the credentialed PIO's explicit approval before it leaves the agency. Cass is disclosed as AI everywhere she appears.

Encryption in transit, least-privilege access

Connections to the site and between our systems use TLS. Internal access follows the principle of least privilege with audit logging; administrative surfaces sit behind additional access controls beyond the product login.

Account security

Sign-in uses one-time email codes or Google sign-in — no passwords for us to lose. Sessions are hardened server-side and can be revoked.

US-based infrastructure

The product runs on Cloudflare's platform with data stored in the United States. Automated backups run on a regular schedule.

Built for the public record

Released statements are treated as public records — retained, timestamped, and never silently purged. The activity log is your ICS-214; exports exist because records requests are a reality of this work, not an afterthought.

Published sub-processors

Every third party that touches service data is named publicly, with what it does and why — including our AI provider (Anthropic), transcription (Deepgram), email (Resend), and infrastructure (Cloudflare).

certifications: none claimed. on purpose.

We don't hold SOC 2, ISO 27001, or FedRAMP today, and we won't imply otherwise with badge walls. What we publish is what we actually do — the practices above, the named sub-processors, and contract terms written for public agencies. As we earn formal attestations, they'll be published here.

Security question, concern, or something you believe you've found? cass@heycass.ai reaches a human quickly.