Security & Trust

Last updated: July 8, 2026

eFiling Solutions stores your CPSC eFiling credentials and your compliance records, so we hold ourselves to a high security bar. This page describes how the Service is protected. Questions or security concerns? Contact us.

Infrastructure

The Service runs entirely on Cloudflare's global edge platform — serverless compute, managed database, and private object storage — with data processed and stored in the United States. There are no self-managed servers to patch, and every request is served over HTTPS with HSTS enforced.

Encryption

Tenant isolation

The Service is multi-tenant by design, and isolation is enforced in code, not by convention: every database query is automatically scoped to your company, and requests that attempt to specify another company are rejected. Isolation is verified by automated testing.

Account security

Staff access

Our staff have no standing access to your data. Support access requires an explicit, time-limited session, and every administrative action is recorded in an audit log.

Sub-processors

We use a small number of U.S.-based vendors to run the Service, in these categories: cloud hosting, compute, database, and file storage; transactional email delivery; AI-assisted extraction of data from uploaded lab-test reports; and payment processing. Each is bound to process your data only to provide their service to us.

Our AI sub-processors receive report content only to extract structured data at your request, over paid API tiers whose terms do not permit training on your data. They are not used for any other purpose.

A current named list of sub-processors is available to customers and prospective customers on request — contact us. We notify customers before adding a new sub-processor. Data is also transmitted to the U.S. Consumer Product Safety Commission and to the customs broker your company designates — at your direction, as recipients you choose, not as our sub-processors.

International data transfers

The Service is operated from and hosted in the United States. If you use it from outside the U.S., your data is transferred to and processed in the U.S. Where applicable data-protection law requires safeguards for such transfers (for example, for customers in the EEA, UK, or Switzerland), we will put appropriate measures in place, such as standard contractual clauses, as part of your company's agreement with us. See our Privacy Policy for details.

Responsible disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability, contact us with enough detail to reproduce it. We will acknowledge your report promptly, investigate, and keep you informed. We ask that you do not access data that isn't yours, degrade the Service, or disclose the issue publicly before we've had a reasonable opportunity to fix it. We will not pursue legal action against good-faith research conducted within these guidelines.

Availability

The Service is built on globally redundant infrastructure with no single server to fail. Uptime commitments (SLAs) for enterprise customers are available as part of a signed agreement — talk to us.