LangevinAI

Data Flow & Security Overview

A plain-language summary for prospective customers and their security/procurement teams. Not a substitute for the Privacy Policy or Data Processing Addendum, which govern in case of any conflict.

1. What data LangevinAI touches

When you use LangevinAI, you upload a general ledger export (Excel/CSV) and, optionally, supporting documents (PDF, Word, .eml). These files typically contain:

  • Account names and balances
  • Transaction-level detail (dates, descriptions, amounts, vendor/customer names)
  • No payment card or bank account credentials are collected by LangevinAI itself

2. How your data moves through the system

Shared-proxy mode (Solo, Pro, and Business plans)

  1. You upload a file in your browser. Parsing (header detection, format normalization) happens client-side in JavaScript — the raw file is not sent anywhere just to be parsed into a table.
  2. When you request AI classification, commentary, or summaries, the relevant account names, sampled transaction rows, and document excerpts are sent from your browser to our Vercel serverless function.
  3. The function verifies your identity (Clerk-issued session token) and your plan entitlement (Supabase), applies model and fair-use limits, then forwards the request to the Anthropic API over TLS, using our Anthropic API key.
  4. Anthropic returns the classification/commentary result, which is passed back to your browser and rendered. It is not written to a database on our side.
  5. Your file itself is not stored on our servers — the working data lives in your browser session for the duration of your use of the app.

BYOK option (Bring Your Own Key, available on any plan)

  1. Same client-side parsing as above.
  2. Your personal Anthropic API key is stored only in your browser's local storage — it is never transmitted to, or stored on, our servers.
  3. AI requests go directly from your browser to the Anthropic API using your key. We never see the request or response content in this mode.

3. What we store, and where

DataStored?Where
Uploaded GL/budget/support filesNoNot persisted server-side; held in-browser only
Account classifications, AI commentaryNoHeld in browser session only, regenerated as needed
Your API key (BYOK)No (by us)Browser localStorage only
Account/plan/billing infoYesSupabase (plan status, usage counters), Clerk (authentication), Stripe (payment/subscription records)
Login credentialsNot by us directlyManaged entirely by Clerk (we never see passwords)

4. Subprocessors

SubprocessorRoleData it may see
AnthropicAI model inference (classification, commentary, summaries)GL account names, sampled transactions, supporting-document excerpts, per-request only — not retained by LangevinAI
VercelHosting, serverless function executionRequest metadata; transient in-memory access to data in transit through the proxy
ClerkAuthentication (sign-in/sign-up, session tokens)Name, email, authentication metadata
SupabasePlan/entitlement storageClerk user ID, plan tier, entity count, usage counters
StripeBilling and subscription managementPayment details, billing contact info

We do not use customer financial data to train AI models, and we do not sell customer data to third parties. See the Privacy Policy for our data-retention commitments in full.

5. Why this matters for your review

  • No server-side data lake of customer financials — there's nothing to breach because there's very little sitting still.
  • BYOK mode gives security-sensitive customers a path where their financial data never touches our infrastructure at all.
  • Single-file architecture means the entire client application is auditable in one file — no obscured data paths across dozens of services.

If your security team needs a completed vendor security questionnaire or a signed Data Processing Addendum, contact us at contact@langevinai.io.