Data handling with clear boundaries
Evidence stored in your dedicated tenant. Mutual NDA available on request as part of scoping. You control your own data lifecycle; data-handling, incident-response, and post-termination deletion terms are defined in the Master Services Agreement.
Data storage & sub-processors
Primary customer data is stored in the United States on our managed PostgreSQL sub-processor (Neon). Transactional sub-processors (authentication, AI inference, transactional email, platform hosting) may process metadata in their own operational regions per their published policies.
- Primary database: Neon managed PostgreSQL (US) with automated point-in-time recovery
- Authentication: Clerk (auth sessions + user metadata)
- AI inference: Anthropic Claude API (US; no model training on customer data, per Anthropic's commercial-API terms — 7-day API log retention)
- Hosting + platform delivery: Vercel (US; transactional log storage)
- Evidence-file blob storage: Vercel Blob (US; tenant-scoped paths; customer audit files at rest)
- Content retrieval index (Pinecone, US; tenant-isolated namespacing for evidence excerpts, workpaper narratives, and exception descriptions; matching is exact-text, not semantic similarity)
- Rate limiting + distributed locks (AI-test / QC / population concurrency): Upstash Redis (low-sensitivity metadata only — request IPs + user identifiers; no customer audit content)
- Transactional email: Resend (contact-form delivery)
Authoritative Sub-Processor list per customer is maintained in MSA Schedule A with 30-day change-control notice.
Encryption & integrity
Data encrypted at rest by our database sub-processor and in transit via TLS 1.2+. SHA-256 integrity hashes on every evidence file. Tamper prevention built into the audit trail — UPDATE and DELETE on audit-log records are blocked at the database level by immutability triggers, and tenant rows are additionally protected by row-level security.
- TLS 1.2+ minimum for all data transfers (HSTS enforced)
- Encryption at rest managed by Neon (AES-256)
- SHA-256 content hash on every uploaded evidence file
- Database-key rotation managed by sub-processor per published policy
- Server certificates auto-renewed via ACME; HSTS preload eligible
AI processing
Evidence is processed by Anthropic Claude API (United States). Per our AI provider's commercial-API terms, customer data is not used for model training. Full provenance trail on every AI result.
- No training on customer data
- Mandatory auditor review on all AI results
- Documentation outputs your firm can use for AS 1215 review obligations — your firm determines documentation sufficiency
Tenant isolation
Each tenant is isolated with row-level security on all writes. Your data is never visible to other tenants.
- PostgreSQL row-level security enforces tenant write isolation at the database engine level, with application-layer tenant filtering as defense-in-depth on read paths
- Isolated evidence storage per tenant in dedicated blob namespaces; cross-tenant read paths blocked at storage-API level
- Per-tenant audit-trail isolation; cross-tenant queries return empty result sets (engine-enforced, not application-filtered)
Incident response
If a Confirmed Incident affects your data, breach- notification timing and scope are governed by the MSA breach-notification clause, which is bargained per customer. Our internal incident-response runbook with severity taxonomy + forensic-preservation procedure is shared under NDA during procurement review.
- Internal incident-response runbook with severity taxonomy + forensic-preservation procedure
- Runbook shared under NDA during procurement review
- Post-incident review with root-cause documentation
Have specific requirements?
Mutual NDA available on request as part of scoping. Data-handling and security-review questions are addressed during the scoping call.