The checker runs in your browser.
When you paste a clause, the matching happens entirely on your device, against the state's holdings the page has already loaded. The clause text is never transmitted to our servers.
The only thing we log is an anonymous, one-way truncated SHA-256 hash of the clause plus the state and whether we found a match — so we can see which areas of law people need help with. The hash cannot be reversed into your clause, and it identifies nothing about you.
- No account, no sign-up to check a clause — nothing to breach.
- No clause text stored — not in a database, not in a log, not anywhere.
- The alert tier stores only the email address and states you choose to give it, used solely to send you alerts.
Locked-down delivery.
The site is static and served over a global CDN with strict transport and browser-hardening headers on every response:
- Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; object-src 'none' …
- X-Frame-Options: DENY # can't be embedded / clickjacked
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: geolocation=(), microphone=(), camera=()
Less to attack.
- No third-party trackers or ad-tech — no analytics pixels, no behavioural profiling. The only third-party resource the site loads is Google Fonts.
- A dependency-free serverless function handles payment confirmation using only the platform's built-in crypto — no npm supply chain to compromise.
- No secrets in our code. Credentials live only in server-side environment configuration, never in the repository or the pages you receive.
We never touch your card.
Checkout for the $29/mo alert tier is handled entirely by Stripe (a PCI-DSS Level 1 provider). Your card details go straight to Stripe and never pass through — or get stored by — ClauseDelta. Payment confirmations arrive by a cryptographically signature-verified webhook that fails closed: a forged or unsigned message is rejected before it can do anything, so the paid tier cannot be spoofed without a real Stripe payment.
The data itself is gated.
Security isn't only about access — for a data product it's also about whether the data can be trusted. Every holding we publish must pass a deterministic provenance gate: the quoted language has to be an exact, character-for-character substring of the source opinion, or it never ships. Nothing is a model's paraphrase. See the full methodology →
Found a vulnerability? Tell us.
We welcome good-faith security reports and will work with you to confirm and fix issues. Please give us a reasonable chance to remediate before public disclosure, and don't access data that isn't yours.
- Security contact: info@cedarstonellc.com
- Machine-readable: /.well-known/security.txt