Built to be handed to your security team.

The assessment data we keep is stored without personal identifiers: a person's answers and result carry no name or email. Contact details are only collected if someone chooses to give them (to receive their read or join research), and they are stored separately from the anonymized response record. Data minimization is the default, not an afterthought.

All traffic is served over HTTPS/TLS. Data at rest lives in managed PostgreSQL (Supabase), encrypted at rest by the provider. We do not store payment data; the instrument is free to take.

The database runs with row-level security enabled and no public policies, so the public/anonymous key can read nothing directly. All reads and writes go through our server-side API using a service-role key that is never exposed to the browser. The practitioner console sits behind authentication. Access follows least-privilege.

We run on a small set of established providers, each maintaining their own security programs and certifications:

• Vercel — application hosting.
• Supabase — managed PostgreSQL database and storage.
• Resend — transactional email (your read).
• ConvertKit (Kit) — opt-in email communications.

Primary data residency: [region — e.g. United States]. We can share each provider's current compliance documentation on request.

An optional advanced read can analyze behavioral evidence (e.g. email or documents) via OAuth to a provider such as Google or Microsoft. It is off by default and held to a higher bar than the assessment itself:

• Explicit, granular, per-source consent with least-privilege (read-only) scopes.
• Content is processed to derive signals; raw content is not retained.
• Revocable at any time, with deletion of the derived data.
• No connected content is used for advertising, sharing, or third-party model training.
• Where a provider requires it (e.g. Google restricted scopes), we complete that provider’s security review and verification before access is enabled.

This capability is forward-looking and is not enabled in the current product.

Anonymized research data is retained in aggregate. Identifiable data is retained until the person unsubscribes or requests deletion, then removed within [30 days]. Deletion and access requests are handled per our Privacy Policy.

We do not sell, rent, or trade data. We do not use it for third-party advertising. We do not feed identifiable client data into third-party model training.

We are an early-stage research company and are candid about it: the controls above are real and in place today, but we do not yet hold formal certifications such as SOC 2. We are happy to complete a security questionnaire, sign an NDA or DPA, and discuss your specific requirements. For enterprise reviews, contact security@signalabs.org.