Data storage, encryption, and residency
Application data, uploaded documents, and authentication records are stored in Supabase (PostgreSQL and object storage on AWS). The web application itself is served from Cloudflare's edge network.
Where data lives
| Data | Store |
|---|---|
| Profiles, deal rooms, Q&A, decisions, activity | Supabase PostgreSQL |
| Uploaded documents (decks, models, statements) | Supabase Storage (object storage) |
| Authentication credentials and sessions | Supabase Auth |
| Static application assets | Cloudflare Pages CDN |
In transit
Every connection is TLS-encrypted end to end: browser to Cloudflare edge, and Cloudflare to Supabase. TLS 1.3 is negotiated with every modern client; TLS 1.2 is the minimum accepted version. Plain HTTP is redirected before any request body is read.
At rest
Database contents and stored files are encrypted at rest with AES-256 on Supabase's AWS-backed infrastructure. Supabase holds SOC 2 Type II compliance for this infrastructure. Document downloads are served through short-lived signed URLs — there are no permanently public file links to deal documents.
Third parties
We do not sell user data to third parties. Data leaves our infrastructure only for functions you can see in the product: transactional email (Resend), CRM sync of contact records for signups (HubSpot), and AI processing you explicitly trigger (see AI data handling). None of these receive deal documents except the AI path, and that only on your action.
Deletion
Account deletion is self-service under Settings → Security and requires typed confirmation. Deletion removes your authentication record and profile data. Some records survive deletion where the other party owns them or the law expects them to persist — for example, a signed NDA remains available to its counterparty, and activity log entries referencing past actions are retained for the workspaces they occurred in.