Data Collection: What Do We Gather and How Is It Used?
The scope of data collection depends on the definition of the "customer" within our platform. We distinguish between two key user groups:
Platform Users: To access our platform, users are only required to provide their email address, first name, and last name. Authentication is managed using Auth0 authentication standards to ensure security and compliance.
End Users: No personally identifiable customer data (PII) is collected from end users for analytics or CRM purposes. Instead, we focus on collecting data from LLM models to improve our services and insights.
Data Storage and Security Measures
We prioritize data security by storing all collected data in data centers within the European Union. These data centers are protected using multiple layers of security:
Restricted Access: Data is not exposed to the Internet and is only accessible through private networks and an encrypted VPN. The principle of least privilege access is enforced, ensuring only the relevant development team can access the data.
Encryption Standards: Data is securely transmitted via APIs using TLS 1.3 encryption. Access is safeguarded by authentication mechanisms (short-lived JWTs) and fine-grained role-based access control (RBAC), ensuring users only access the data they are authorized to view.
Web Application Firewall (WAF): API endpoints are protected using a WAF, adding another layer of defense against potential threats.
AI Model Providers and Updates
Our platform integrates with the APIs of the world's leading LLM providers, ensuring continuous updates and improvements. As of February 18, our platform supports:
OpenAI
Gemini
Llama
Anthropic
Deepseek
Perplexity
We regularly assess and update our model offerings to ensure our users benefit from the latest advancements in AI.
Here's an up-to-date list of all the models used.
Security and Compliance in API Connections
To maintain a high level of security and compliance in our connections to AI model providers, we implement robust protection measures:
Encryption Protocols: All data in transit is secured using TLS 1.2/1.3 to ensure confidentiality and integrity.
Strict Authentication Mechanisms: We leverage OAuth 2.0 and API keys to connect with AI model providers, ensuring secure and controlled access.
Note: All connections to the LLM providers are encrypted and secure.
Certifications and Security Assessments
We uphold rigorous security standards through continuous assessments:
ISO 27001 Compliance: Our platform adheres to ISO 27001 standards, ensuring best practices in information security.
SOC 2 Certification: We are proud to be SOC 2 Type 2 compliant. This certification validates that our security controls and operational practices meet the rigorous standards set by the American Institute of CPAs (AICPA), ensuring that customer data is securely managed and protected over time.
Weekly Penetration Testing: We conduct security penetration tests using Acunetix every week to identify and address vulnerabilities proactively.
Brand and Search Module : Data Privacy and Retention
At Jellyfish, we prioritize the privacy and security of our users' data—especially when it comes to advanced AI integrations like the Share of Model.
For Share of Model, no client data is stored on our platform, with the exception of essential user metadata such as email address, first name, and last name. All other information used in the analysis process originates from publicly available data, specifically the output returned by the large language models (LLMs) during analysis.
Users retain full control over which AI models are used: the system supports case-by-case selection or exclusion of specific LLMs when initiating an analysis. This ensures transparency and flexibility in managing data flow through third-party providers.
Importantly, no confidential or proprietary client data is ever shared with third-party model providers. We have established contracts with all LLM providers that enforce strict non-retention clauses. Most of our partners guarantee zero data retention; in cases where minimal retention is necessary, the maximum duration is strictly limited to 30 days.
Anthropic and OpenAI (ChatGPT) retain data for up to 30 days
Meta’s LLAMA and Google Gemini enforce zero data retention
Additionally, all providers are contractually bound to not use any data from our platform for training their models.
These safeguards ensure that organizations leveraging the Share of Model feature can confidently adopt AI-powered analysis without compromising data security or control.
Asset Evaluation Module: Data Privacy and Retention
At Jellyfish, we place the highest importance on the privacy and security of our users’ data—especially when handling sensitive assets like images, videos, and user-submitted text through the Asset Evaluation module.
Unlike the Share of Model module, Asset Evaluation involves the storage of client-submitted content. This includes media files (images and videos) and textual inputs provided by users during the evaluation process.
All stored data is treated as strictly confidential and is automatically and permanently deleted in the following cases:
At the termination of a contract, all associated data is fully and irreversibly removed from our systems.
At any time, users can delete specific content directly from the interface. This triggers immediate and permanent deletion of the selected assets.
We never share any client-submitted content with third parties, and no data is used for training AI models. Our infrastructure and access controls are designed to ensure that only authorized users within your organization can access stored assets.
All data is stored with a cloud provider certified under ISO/IEC 27001, the leading international standard for information security management. This guarantees that data storage and access controls meet the highest standards of confidentiality, integrity, and availability.
These guarantees allow organizations to confidently use Asset Evaluation while maintaining full control over their data, ensuring both compliance and peace of mind.
Integration: Google Ads and Tiktok
When you connect your Google Ads or TikTok Ads account to our platform, we use industry-standard protocols and encryption practices to ensure your credentials and tokens remain secure at all times.
Secure Authentication via OAuth 2.0
Both Google Ads and TikTok Ads connections rely on the OAuth 2.0 protocol - the industry standard for secure delegated access.
This means:
You never share your credentials (email, password) with Jellyfish.
Authentication and authorization occur directly through the official Google and TikTok authorization pages.
Our platform only receives a secure access token (and optionally a refresh token) that allows limited, revocable access to the authorized resources.
All OAuth exchanges take place over HTTPS, ensuring the communication between our systems and the ad platforms is encrypted in transit.
Encryption of Tokens with Google Cloud KMS
Once received, OAuth tokens are encrypted at rest using Google Cloud Key Management Service (KMS).
KMS provides centralized, secure, and auditable key management with the following guarantees:
Strong encryption standards: AES-256 is used for all token encryption.
Hardware security modules (HSMs) ensure encryption keys are protected by tamper-resistant hardware.
Access control: Only the minimal set of authorized backend services can decrypt tokens when needed for API calls.
Audit logging: Every use of encryption keys is logged and monitored within our security operations.
Regular Key Rotation
To further strengthen security, we implement automatic key rotation for the KMS keys used to encrypt OAuth tokens.
This rotation:
Occurs on a regular, scheduled basis following internal compliance standards.
Minimizes the impact of a potential key compromise.
Ensures that older keys are securely retired and replaced with new ones.
Controlled Access and Principle of Least Privilege
Access to encrypted tokens and KMS resources follows the Principle of Least Privilege (PoLP):
Only specific backend services can request decryption operations.
Internal users (including administrators) cannot view or export tokens.
All actions are governed by strict Identity and Access Management (IAM) policies within our cloud infrastructure.
Summary
Aspect | Security Mechanism |
Authentication | OAuth 2.0 (secure delegated access) |
Data in Transit | HTTPS encryption |
Data at Rest | AES-256 encryption via Google Cloud KMS |
Key Management | Automated key rotation and audit logs |
Access Control | Strict IAM policies and least privilege |
Monitoring | Continuous security monitoring and alerting |
In short: when you connect your Google Ads or TikTok Ads account, your credentials are never stored or visible to Jellyfish. Your tokens are encrypted, protected by hardware-secured keys, rotated regularly, and accessible only through tightly controlled systems.
Subprocessors
Updated 12/11/2025
We use the following third-party subprocessors to deliver, secure, and monitor the platform:
Subprocessor | Purpose / Service |
Anthropic | AI/ML services |
OpenAI, L.L.C | AI/ML services |
Google LLC (Google Cloud Platform) | Cloud infrastructure services (compute, storage, networking) |
Cloudflare, Inc. | Cloud infrastructure services (CDN, Hosting, DDoS protection, WAF) |
Sentry | Application monitoring and error tracking |
Hotjar | Application monitoring and error tracking |
Mailjet | Email delivery and transactional communications |
Perplexity | AI/ML services |
Wasabi | Cloud object storage services |
Intercom | Support |