Security & Trust
Honest about where we are and where we're going. We are not SOC2 compliant yet. We will be by Q2 2027. Here is exactly how we handle your data until then — and after.
How we handle your data
We never train AI models on customer data
All LLM calls go to Anthropic via their API. Anthropic does not train on API traffic — this is their contractual default. We do not share, sell, or repurpose customer data for any training.
Data in transit is encrypted
All traffic between your browser, our servers, and Anthropic is TLS 1.3 encrypted. No intermediate proxies touch plaintext data.
Data at rest is encrypted
Vercel (our hosting provider) encrypts all stored data at rest with AES-256. When we add Supabase post-MVP, the same applies.
You can export and delete your data anytime
CSV export is available on every workspace. Delete requests via email are fulfilled within 30 days. GDPR Article 17 right-to-erasure is honored unconditionally.
Sub-processors
Third parties that process customer data on our behalf. We update this list 30 days before adding a new sub-processor — email us to subscribe to changes.
| Provider | Purpose | Location | Data handled |
|---|---|---|---|
| Anthropic | LLM processing (Claude API) | US | Backlog text during parsing |
| Vercel | Hosting, edge delivery | Global | HTTP traffic, logs |
| GitHub | Source code version control | US | Application source code (not customer data) |
Compliance roadmap
We are early-stage. We publish timelines honestly so your legal team knows what they are signing up for.
SOC2 Type 1 audit
Scoped, auditor selection in progress
SOC2 Type 2 audit
Planned after Type 1
GDPR DPA standardized
Available now on request via email
EU data residency option
Will be enterprise-tier feature
SSO (SAML 2.0)
MVP scope
Your legal team has questions
We respond within 2 business days to security questionnaires, DPA requests, and vendor assessments. Most B2B deals clear risk review in under a week.