Security & compliance

Last updated

Hockystick hosts confidential fundraising material — pitch decks, financial models, cap tables, bank statements. This page states plainly what we do to protect it, what the legal framework around it is, and how to reach us if you find a problem.

Summary

  • All traffic is encrypted in transit with TLS; data is encrypted at rest with AES-256.
  • Row Level Security is enabled on all 107 database tables — every query is scoped to the requesting user. Verified against the production database on 8 July 2026.
  • No deal document is visible to a counterparty before a mutual NDA is signed inside the deal room.
  • Every NDA is governed by DIFC law with DIAC arbitration, enforceable under the New York Convention in more than 170 states.
  • We do not sell user data to third parties. Ever.
  • Document text extraction runs in your browser. Document content reaches a third-party AI provider only when you explicitly trigger an AI action on it.
  • Security reports go to [email protected] and are acknowledged within 48 hours.

Encryption

All connections to hockystick.app terminate at Cloudflare's edge over TLS — TLS 1.3 for every modern client, with TLS 1.2 as the floor. There is no unencrypted access path; HTTP requests are redirected to HTTPS. At rest, all application data and uploaded documents are stored on Supabase infrastructure (AWS-backed) with AES-256 encryption.

Access control

Authorization is enforced in the database, not just the application. Every one of the 107 tables in the production schema has PostgreSQL Row Level Security enabled, which means a query can only return rows the authenticated user is entitled to see — even if application code has a bug, the database refuses to serve another user's data. Details and the verification query are on the Row Level Security page.

On top of RLS, team accounts carry role-based permissions (admin, manager, analyst, viewer on the founder side; admin, associate, analyst, external on the investor side) that control what each member can do inside a workspace.

Deal rooms are NDA-gated: the Information Vault stays locked until both parties sign the generated mutual NDA. The NDA specifies DIFC (Dubai International Financial Centre) governing law and binding arbitration under DIAC (Dubai International Arbitration Centre) rules, seated in Dubai, conducted in English. Awards are enforceable under the 1958 New York Convention. The full clause structure is documented on the NDA legal framework page.

AI and your documents

Text extraction from uploaded files (PDF, DOCX, PPTX, XLSX, CSV) happens client-side, in your browser. Nothing is sent to an AI provider as a side effect of uploading. Document content is transmitted to a third-party AI model only when you take an explicit action that requires it — generating a summary, a deal brief, or running verification classification. The full policy is on AI data handling.

Infrastructure

The application runs on Cloudflare Pages and Workers at the edge. Data, authentication, and file storage run on Supabase, which is built on AWS and holds SOC 2 Type II compliance. Secrets are stored encrypted in Cloudflare and never shipped to the browser bundle. See Data storage for specifics.

Reporting a vulnerability

Email [email protected]. We acknowledge reports within 48 hours. Our disclosure policy, including what we ask of researchers and what we commit to in return, is on the Responsible disclosure page, and is also published at /.well-known/security.txt.