Defense in depth

Your equity data, protected at every layer.

We hold the most sensitive data a public company has — insider holdings, grant terms, compensation. Here is exactly how we protect it.

Encryption everywhere

Data is encrypted at rest with AES-256 and in transit with TLS 1.3. API keys and webhook secrets are stored encrypted (AES-GCM), never in cleartext.

Multi-tenant isolation

Tenant isolation is enforced in the database with PostgreSQL row-level security (RLS) and SECURITY DEFINER helpers — not just in application code.

SOC 2 in progress

We are pursuing SOC 2 Type II. Target report date: [TARGET DATE — placeholder]. Our controls map to the Trust Services Criteria today.

Penetration testing

Independent penetration testing on an annual cadence, plus continuous automated dependency and secret scanning in CI on every commit.

Incident response

A documented incident-response runbook with defined severities and a public status page. See our security policy for the full commitment.

Subprocessors

The third parties that process data on our behalf. Last updated 2026-05-28.

SupabaseManaged PostgreSQL database, auth, and object storage
VercelApplication hosting, edge network, and deployment
ResendTransactional email delivery
SentryError monitoring (enabled only when a DSN is configured)

Report a vulnerability

We operate a 90-day responsible-disclosure policy. Email security@unfoldingvalues.com and we will acknowledge within 2 business days.

Read our full security policy →