Data storage, encryption, and residency

Last updated

Application data, uploaded documents, and authentication records are stored in Supabase (PostgreSQL and object storage on AWS). The web application itself is served from Cloudflare's edge network.

Where data lives

DataStore
Profiles, deal rooms, Q&A, decisions, activitySupabase PostgreSQL
Uploaded documents (decks, models, statements)Supabase Storage (object storage)
Authentication credentials and sessionsSupabase Auth
Static application assetsCloudflare Pages CDN

In transit

Every connection is TLS-encrypted end to end: browser to Cloudflare edge, and Cloudflare to Supabase. TLS 1.3 is negotiated with every modern client; TLS 1.2 is the minimum accepted version. Plain HTTP is redirected before any request body is read.

At rest

Database contents and stored files are encrypted at rest with AES-256 on Supabase's AWS-backed infrastructure. Supabase holds SOC 2 Type II compliance for this infrastructure. Document downloads are served through short-lived signed URLs — there are no permanently public file links to deal documents.

Third parties

We do not sell user data to third parties. Data leaves our infrastructure only for functions you can see in the product: transactional email (Resend), CRM sync of contact records for signups (HubSpot), and AI processing you explicitly trigger (see AI data handling). None of these receive deal documents except the AI path, and that only on your action.

Deletion

Account deletion is self-service under Settings → Security and requires typed confirmation. Deletion removes your authentication record and profile data. Some records survive deletion where the other party owns them or the law expects them to persist — for example, a signed NDA remains available to its counterparty, and activity log entries referencing past actions are retained for the workspaces they occurred in.