Your client’s data, defended.

Encrypted at rest, in transit, end to end.

Primary application data sits in Supabase Pro on AWS infrastructure, US-East regions. Object storage (uploaded client documents and photographs) lives in S3, US-East. No data leaves the United States.

• Database encryption: AES-256 at rest, full-disk on managed Postgres
• Transit encryption: TLS 1.3, HSTS preloaded, certificate transparency monitoring
• Backups: encrypted, retained 30 days, restorable in 4 hours
• Object storage: server-side encryption, signed-URL only access, no public buckets

Default-deny, role-checked, firm-scoped.

Row-level security is on for every table. The default policy is deny — if a query doesn’t prove it belongs to your firm and role, the database refuses to return rows. We test this on every deploy.

• Magic-link auth on the CPA side, plus optional Google SSO
• Magic-link auth on the client side, scoped to a single study
• Role separation: CPA, engineer, client, firm admin
• Unlevered staff cannot access a workspace without explicit support grant from the firm admin
• Production database changes require code review, peer approval, and a change record

Every material action logged.

Engine runs, classifications, engineer overrides, document uploads, payment events, and access grants are all written to an immutable PlatformEvent stream. Each row carries a cryptographic hash so you can prove the audit trail hasn’t been edited.

• Engine-run reproducibility: a hash binds inputs to outputs, so studies can be re-run identically
• Engineer review trail: who reviewed, when, what was changed, why
• Source provenance: every classification ties back to a citation row
• Exportable archive: every study can be exported with its full audit trail

Who else touches the data.

We name every subprocessor that handles client data, what they handle, and where. Updates are pushed to the DPA and emailed to admins.

Detailed subprocessor commitments live in the Data Processing Addendum. We post 14-day notice before adding a subprocessor that touches customer data.

What we keep and for how long.

• Active client data: retained while the relationship is active.
• Delivered studies: retained indefinitely — your clients depend on access.
• Audit logs: 7 years, matching IRS audit windows.
• Cancelled accounts: 90-day soft delete, then full purge unless the firm requests earlier deletion.
• Sentry error reports: 30 days, anonymized.

Found something? Tell us.

We respond to disclosure reports inside 48 hours. No-retaliation policy. We’ll work with you on a coordinated public timeline if applicable.

What we don’t claim. We don’t carry cyber liability insurance at MVP. We don’t guarantee audit defense. We don’t hold a SOC 2 report yet (the audit is scheduled). We say what we do, plainly, and we’ll update this page the day anything changes.