⚠ DRAFT — This is a template.
Reviewed and approved by [LAW FIRM NAME] on [REVIEW DATE]. Last updated 2026-05-28. Contact founders@unfoldingvalues.com with legal questions.
Security Policy
Last updated 2026-05-28
This Security Policy describes the commitments and practices Unfold Equity maintains to protect customer data. It complements our Privacy Policy and Data Processing Agreement.
1. Encryption
All customer data is encrypted at rest using AES-256 and in transit using TLS 1.3. Secrets such as API keys and webhook signing secrets are stored encrypted (AES-GCM), never in cleartext.
2. Access Control
Access to the Service is governed by role-based access control. Tenant isolation is enforced in the database itself via PostgreSQL row-level security with SECURITY DEFINER helpers. Administrative access to production is limited, logged, and protected by multi-factor authentication.
3. Monitoring and Logging
The Service maintains an enforced, append-only audit trail of sensitive actions. We employ error monitoring and continuous automated dependency and secret scanning in our CI pipeline on every commit.
4. Incident Response
We maintain a documented incident-response runbook with defined severity levels. Material incidents affecting customer data are communicated to affected customers without undue delay, and operational status is published on our status page.
5. Vulnerability Disclosure
We welcome reports from security researchers. Email security@unfoldingvalues.com with details. We operate a 90-day responsible-disclosure policy: we will acknowledge your report within 2 business days, work with you on remediation, and ask that you give us up to 90 days to remediate before public disclosure. We will not pursue legal action against good-faith research conducted under this policy.
6. SOC 2 Status
We are pursuing SOC 2 Type II. Target report date: [TARGET DATE — placeholder]. Our controls are mapped to the Trust Services Criteria today, and we will make our report available to enterprise customers under NDA once issued.
7. Subprocessors
Current subprocessors (last updated 2026-05-28): Supabase (database, authentication, storage); Vercel (application hosting); Resend (transactional email); Sentry (error monitoring, enabled only when configured). The current list is published on our Security page.