Compliance & Security
Effective Date: March 27, 2026
Last Reviewed: March 27, 2026
InferenceBench is committed to maintaining the highest standards of data protection, security, and regulatory compliance. This page outlines our compliance posture across major regulatory frameworks and our security architecture.
1. GDPR Compliance (EU/EEA/UK)
InferenceBench complies with the General Data Protection Regulation (EU) 2016/679 and the UK Data Protection Act 2018. Our compliance measures include:
Data Protection Principles (Article 5)
- Lawfulness, fairness, and transparency: We process data only under valid legal bases (legitimate interest, consent, or contract performance) and clearly disclose all processing activities.
- Purpose limitation: Data is collected for specific, explicit purposes and not processed beyond those purposes.
- Data minimization: We collect only the minimum data necessary. No accounts, no registration, no unnecessary tracking.
- Accuracy: We maintain accurate data and provide mechanisms for correction.
- Storage limitation: Server logs are purged after 90 days. Community submissions are retained only as long as necessary.
- Integrity and confidentiality: Technical and organizational measures protect data against unauthorized processing.
Data Subject Rights
We support all GDPR data subject rights: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Requests are processed within 30 days. Contact privacy@inferencebench.io.
International Transfers
Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as approved by the European Commission.
Data Protection Officer
For GDPR-related inquiries, contact our data protection team at dpo@inferencebench.io.
2. CCPA/CPRA Compliance (California)
InferenceBench complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
| CCPA Requirement | InferenceBench Status |
|---|---|
| Right to Know | Supported — contact privacy@inferencebench.io |
| Right to Delete | Supported — 45-day response window |
| Right to Correct | Supported |
| Right to Opt-Out of Sale | N/A — we do not sell personal information |
| Non-Discrimination | Guaranteed — no differential treatment for exercising rights |
| Sensitive Personal Information | Not collected |
3. Security Architecture
Our security posture is aligned with OWASP Top 10, CIS Benchmarks, and industry best practices:
Infrastructure Security
- Read-only containers: Production containers run with an immutable root filesystem
- Non-root execution: All processes run as unprivileged users with dropped capabilities
- Minimal attack surface: Alpine-based images with no unnecessary packages or shell access
- No-new-privileges: Containers cannot escalate privileges at runtime
- Health monitoring: Automated health checks with restart policies
Transport Security
- TLS 1.2+ enforced for all connections
- HTTP Strict Transport Security (HSTS) with includeSubDomains and preload
- Automatic HTTP to HTTPS redirection
Application Security Headers
| Header | Value |
|---|---|
| X-Content-Type-Options | nosniff |
| X-Frame-Options | DENY |
| X-XSS-Protection | 1; mode=block |
| Referrer-Policy | strict-origin-when-cross-origin |
| Content-Security-Policy | default-src 'self'; frame-ancestors 'none'; ... |
| Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
| Cross-Origin-Opener-Policy | same-origin |
| Cross-Origin-Resource-Policy | same-origin |
| Permissions-Policy | camera=(), microphone=(), geolocation=(), ... |
Access Controls
- Sensitive files blocked at the web server level (.env, .git, .yml, .map, etc.)
- Source maps denied in production
- Admin endpoints protected with authentication (server mode)
- Rate limiting on API endpoints (server mode)
Supply Chain Security
- Dependencies pinned with lock files and audited regularly
- Automated vulnerability scanning in CI/CD pipeline
- Multi-stage Docker builds — production image contains zero build tools, dev dependencies, or source code
4. SOC 2 Alignment
While InferenceBench does not yet hold a SOC 2 Type II certification, our controls are designed in alignment with SOC 2 Trust Service Criteria:
| Trust Service Criteria | Controls in Place |
|---|---|
| Security | OWASP headers, read-only containers, least-privilege, HSTS, CSP, capability drops |
| Availability | Health checks, auto-restart, resource limits, logging |
| Processing Integrity | Deterministic calculation engine, 1100+ automated tests, Zod schema validation |
| Confidentiality | No PII collection, TLS encryption, sensitive file blocking, no data monetization |
| Privacy | GDPR/CCPA compliant, data minimization, no tracking, 90-day log retention |
5. Additional Regulatory Considerations
EU AI Act
InferenceBench is a benchmarking and cost-estimation tool. It does not deploy, operate, or host AI models. It provides transparency into AI model economics and performance — aligned with the EU AI Act's goals of AI transparency and informed decision-making.
ePrivacy Directive
We use only strictly necessary cookies that do not require consent under the ePrivacy Directive. No consent banner is required because we do not use analytics, advertising, or non-essential cookies.
Children's Online Privacy (COPPA)
The Platform is not directed at children under 13. We do not knowingly collect personal information from children.
6. Incident Response
In the event of a data breach or security incident:
- We will notify affected individuals and relevant supervisory authorities within 72 hours as required by GDPR Article 33
- We will investigate the root cause and implement remediation measures
- We will document the incident, its impact, and corrective actions taken
7. Vulnerability Disclosure
If you discover a security vulnerability in InferenceBench, please report it responsibly to security@inferencebench.io. We commit to:
- Acknowledging receipt within 48 hours
- Providing an initial assessment within 5 business days
- Not pursuing legal action against good-faith security researchers
- Crediting researchers (with consent) in our security acknowledgments
8. Open Source Compliance
InferenceBench maintains rigorous open source compliance across the entire codebase and dependency tree.
SPDX License Identifiers
All source files and dependencies use SPDX license identifiers (ISO/IEC 5962:2021) for machine-readable, unambiguous license declaration. Every file in the repository carries an SPDX header comment identifying its license.
OSI-Approved Licenses
InferenceBench and all direct dependencies are released exclusively under licenses approved by the Open Source Initiative (OSI). We do not include or depend on code under non-OSI-approved, proprietary, or source-available licenses. License compatibility is verified during dependency updates and code review.
REUSE Compliance
The project follows the REUSE Specification 3.0 from the Free Software Foundation Europe (reuse.software). Every file in the repository is tagged with copyright and licensing information, and a LICENSES/ directory at the repository root contains the full text of all licenses used. REUSE compliance is checked automatically in CI.
Software Bill of Materials (SBOM)
InferenceBench publishes a machine-readable SBOM in both CycloneDX 1.5 and SPDX 2.3 formats. The SBOM includes all direct and transitive dependencies, their versions, SPDX license identifiers, package URLs (purl), and integrity hashes. SBOMs are regenerated on every release and attached as build artifacts.
| Standard | InferenceBench Status |
|---|---|
| SPDX (ISO/IEC 5962:2021) | All files and dependencies carry SPDX identifiers |
| OSI License Approval | 100% of dependencies use OSI-approved licenses |
| REUSE 3.0 | Compliant — verified in CI pipeline |
| CycloneDX SBOM | Published per release (CycloneDX 1.5 JSON) |
| SPDX SBOM | Published per release (SPDX 2.3 JSON) |
9. Export Control
InferenceBench is classified as EAR99 under the U.S. Export Administration Regulations (EAR), 15 CFR Parts 730-774. As publicly available open source software distributed without charge, it qualifies for the exclusion under 15 CFR 734.3(b)(3) and 734.7(a).
- ECCN: EAR99 (no controlled encryption beyond standard TLS for HTTPS transport)
- Encryption: The software does not implement, contain, or export controlled cryptographic algorithms. TLS/HTTPS is provided by the runtime environment and web server, not by the application.
- Restrictions: No export license is required. Users remain responsible for compliance with applicable U.S. sanctions and embargoes administered by OFAC.
10. Accessibility
InferenceBench is designed to align with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards. Our accessibility measures include:
- Semantic HTML: Proper heading hierarchy, landmark regions, and ARIA labels throughout the application
- Keyboard navigation: All interactive elements are accessible via keyboard with visible focus indicators
- Color contrast: Text and UI elements meet WCAG AA contrast ratios in both light and dark themes
- Responsive design: Full functionality at all viewport sizes, from mobile to ultrawide displays
- Screen reader support: Charts and data tables include alternative text descriptions and accessible data representations
- Reduced motion: Animations respect the
prefers-reduced-motionmedia query
If you encounter accessibility barriers on inferencebench.io, please contact accessibility@inferencebench.io.
11. Data Sovereignty
InferenceBench is designed as an offline-first static calculator. In its default deployment mode, no user data leaves the browser — all calculations are performed client-side with zero API calls.
- Static mode (default):No server-side data processing. All computation occurs in the user's browser. No PII is collected, transmitted, or stored.
- Server mode (optional):When deployed with PostgreSQL and Redis, data is processed and stored in the operator's own infrastructure. InferenceBench does not operate centralized servers that receive user data.
- No cross-border PII transfer: InferenceBench does not transfer personally identifiable information across jurisdictional boundaries. Operators deploying the server mode are responsible for ensuring their infrastructure meets local data residency requirements.
- Data residency: Organizations subject to data sovereignty requirements (e.g., EU data residency, PDPA, LGPD) can deploy InferenceBench within their own jurisdiction with full confidence that no data is exfiltrated.
12. Responsible AI Disclosure
InferenceBench is a transparency tool — it helps organizations understand the economics, performance, and resource requirements of AI inference and training. It is important to clarify what InferenceBench is and is not:
- Not an AI system: InferenceBench does not deploy, host, or execute AI models. It is a deterministic calculator built with pure TypeScript functions.
- No autonomous decisions: The platform does not make purchasing decisions, deploy infrastructure, or take actions on behalf of users. All outputs are informational estimates for human decision-makers.
- Transparency-first: All calculation methodologies are open source and auditable. The engine code is fully visible and every formula can be inspected.
- No training on user data: InferenceBench does not use any user inputs or interactions to train AI models.
- Accuracy disclaimers: All cost estimates, performance projections, and hardware recommendations are approximations based on published specifications and should be validated against actual workloads before procurement decisions.
13. Environmental Considerations
InferenceBench is designed with minimal environmental impact:
- Minimal compute footprint: The static calculator runs entirely in the browser with no server-side computation, resulting in near-zero energy consumption on the hosting side. The production Docker image is approximately 20MB.
- Carbon-aware hosting:We recommend deploying InferenceBench on hosting providers that use renewable energy or purchase carbon offsets. The platform's energy efficiency tab helps users identify greener GPU hosting options.
- Energy transparency: InferenceBench includes built-in energy efficiency metrics (tokens per second per watt, annual power cost estimates, green hosting ROI) to help organizations make environmentally informed infrastructure decisions.
- Efficient by design: No background processes, no polling, no unnecessary network requests. The offline-first architecture ensures the platform consumes resources only when actively used.
14. Contact
For compliance inquiries:
- Privacy: privacy@inferencebench.io
- Security: security@inferencebench.io
- Data Protection: dpo@inferencebench.io
- Accessibility: accessibility@inferencebench.io
- Legal: legal@inferencebench.io