Security & Data Protection Policy

iphere handles confidential subject matter — patent, trademark, and design filings. This document addresses how your invention and technical information is protected, and answers the two questions we hear most often: (1) Could using AI leak my technology? and (2) What if the database is breached?

This policy operates alongside our Terms of Service and Privacy Policy. It only states protections we technically and operationally enforce.

Effective date: 2026-06-07

1. Data protection when AI is used

iphere's AI Specification Assistant and prior-art analysis features call a commercial AI infrastructure that holds international security certifications, invoked from our backend only. We do not route your inputs through public consumer chatbot services.

1.1. Is my data used to train the model?

Under the official policy of the commercial AI API we use, your inputs and outputs are not used for model training by default. Training use occurs only when a user has explicitly opted in (for example, by submitting feedback or a bug report).
iphere does not forward your inputs to the AI provider as feedback, and we do not operate any such opt-in channel. The pathway that could trigger training use is structurally blocked.
This is fundamentally different from pasting your invention into a consumer chatbot site.

1.2. Security certifications of the AI provider

The commercial AI infrastructure we use holds SOC 2 Type 2 and ISO 27001 international information-security certifications.
For customers requiring stronger guarantees (e.g. enterprise, government, defense), the provider's Zero Data Retention option can be arranged so that inputs and outputs are not retained at all. Contact us if this applies to you.

1.3. If you would rather not use AI at all

The AI Specification Assistant is opt-in, not the default in iphere's filing workflow. If you do not select the AI drafting option, your materials are not sent to any AI model.
For features like KIPRIS prior-art search, AI may help generate a search query from your keywords, but the body of your invention itself is not transmitted externally.

2. Database and infrastructure security

iphere applies a defense-in-depth model.

2.1. Infrastructure certifications

The database, authentication, and storage infrastructure we use holds SOC 2 Type 2, ISO 27001, and HIPAA (U.S. health information protection standard) certifications.
Hosting and CDN are operated through global providers that hold equivalent certifications, with DDoS protection and global edge distribution applied.

2.2. Encryption

At rest: All customer data is encrypted with AES-256.
In transit: All HTTP traffic is protected with TLS 1.2 or above, with HSTS enabled.
Sensitive fields: Passwords are stored as one-way hashes (bcrypt-class), never plaintext. Payment instrument data (card numbers, etc.) is retained by the payment service provider, not by iphere.

2.3. Access control (Row-Level Security)

Every customer-data row is protected by a Row-Level Security (RLS) policy.
A user can access only their own data (auth.uid() = user_id). Reading another user's filings, documents, or payment history is blocked at the SQL level.
The administrative key (service_role) is used only on our server and is never included in any client (browser/mobile) bundle. This is enforced as a non-negotiable code rule.

2.4. Backup and recovery

Daily automated backups and Point-In-Time Recovery (PITR) are enabled.
Backups are stored in a separate location from the production environment.

2.5. Security monitoring

Every new database migration is verified by a triple safety net: RLS policy, explicit GRANTs, and an infrastructure-provided advisor tool.
Periodic security audits and vulnerability scans are performed.
Anomalous access and login attempts are monitored.

3. Comparison with everyday digital channels

In practice, most patent work today is conducted over ordinary email (consumer webmail, corporate mail) and messaging apps (KakaoTalk, Slack, etc.). The protection model iphere applies differs from those channels in the following ways:

Aspect	Ordinary email / messaging	iphere
Data isolation	Message body stored on the mail server. Exposed at sender, recipient, and every intermediate hop.	Per-user Row-Level Security. Cross-user reads blocked at the SQL level.
Encryption at rest	Varies by provider; some store close to plaintext.	AES-256 enforced.
Access separation	Internal staff and administrators commonly have access to message bodies.	service_role is segregated; day-to-day operators cannot bulk-read message bodies.
Compliance certifications	Varies widely by provider.	Infrastructure with SOC 2 Type 2 / ISO 27001 / HIPAA certifications.
Audit trail	Often limited to message send/receive logs.	Migration and access logs retained separately.

In other words, compared with patent work that is already routinely conducted over ordinary email and messaging — which is the current real-world baseline — iphere applies a materially higher standard of protection.

That said, no digital service can promise 100% elimination of risk. The only way to fully avoid digital exposure is to keep invention materials entirely on paper, handle them face-to-face, and exchange them only by physical mail. That approach severely undermines the speed, accuracy, and reviewability of actual filing work, and is effectively impractical in modern patent practice. iphere is designed to apply the highest level of security achievable in a digital environment while still enabling efficient and reliable filing work.

4. Lifelong confidentiality obligation of the patent attorney

iphere's filing work is performed by patent attorneys at Lidam Patent & Law Firm. Patent attorneys in Korea bear the following legal obligation:

Patent Attorney Act, Article 22 (Duty of Confidentiality): A patent attorney or their staff must not, without justification, disclose any confidential information learned in the course of their duties. This obligation continues for life, even after the engagement ends. Violation is a criminal offense.
This obligation supersedes the company's terms and policies, and continues to apply to the attorney personally even if the company ceases to exist.
The company imposes the same level of confidentiality obligation on non-attorney employees via employment contracts and internal policy.

5. Data processing entrustment

To deliver the service reliably, iphere entrusts certain processing tasks to external providers. Each provider is bound by an equivalent level of security and privacy obligation. The complete list of processors is set out in the Privacy Policy.

Scope	Notes
AI model inference	Commercial AI infrastructure with international security certifications. No training by default.
Database, authentication, storage	SOC 2 Type 2 / ISO 27001 / HIPAA
Web hosting and SSR	SOC 2 Type 2
CDN and DDoS protection	SOC 2 Type 2 / ISO 27001
Domestic payment processing (Korea)	PCI DSS (standard for Korean PGs)
Transactional email delivery	Outbound notifications only

6. Your rights

You may exercise the following rights regarding your data:

Access, correction, deletion: Edit or remove your data directly from the case detail screen or account settings. For other requests, contact us.
Account termination: Upon termination, your account information is deleted immediately. Filing and rights-management records are retained per statutory requirements (see Privacy Policy §3).
Stop using AI: You may stop an in-progress AI drafting session and switch to attorney-led manual drafting.

7. Reporting security issues

If you discover a security vulnerability in iphere, please report it to the following address. We will review the report promptly and protect the reporter's identity.

Email: security@ip-here.com

8. Changes to this policy

We will provide notice (in-product or by email) at least 7 days before the effective date of any change (30 days for material changes). Continued use of the service after the effective date constitutes acceptance of the revised policy.

Contact: security@ip-here.com

Effective date: 2026-06-07