Security
Security at DueVestor
How we keep your data — and your subjects' data — safe in transit, at rest, and against insider threat.
Encryption
TLS 1.2+ in transit (Cloudflare-terminated, modern ciphers). Postgres database is encrypted at rest by the hosting provider; database-level credentials encryption via Fernet (AES-128-CBC + HMAC-SHA256) for any third-party token we hold. Backups are encrypted with the same envelope key.
Access controls
Production access is limited to a single founder operator on least-privilege Cloudflare Access policies. All sensitive admin operations go through an audit log (ADR-058) with 2-year retention. API access is opaque per-key (HMAC-SHA256 hashed; ADR-056) — a leaked DB dump cannot replay a key without the application secret.
SOC 2 roadmap
Target: SOC 2 Type I report by Q4 2026 covering Security + Availability trust criteria, scoped to the production SaaS and the per-report sandbox. Type II report in 2027 once the 6-month observation window completes. Currently in Stage 2 readiness — controls are in place, audit-firm engagement is scheduled.
Reporting a vulnerability
Email [email protected] with a description, reproduction steps, and your suggested CVSS. We commit to a 72-hour acknowledgement and a 30-day fix-or-explain. No money rewards in v1; public credit on the post-mortem if you want it.
What we send to LLMs
Subject data sent to Anthropic flows under a no-training contract enforced by the Enterprise tier (your DSAR data never trains a model). Per-report sandbox compute on RunPod is ephemeral — the pod is destroyed at the end of every report (ADR-031..034).
Sub-processors
DueVestor uses the following sub-processors to deliver the service. We notify customers 30 days before adding any sub-processor that processes EU personal data.
| Vendor | Purpose | Region |
|---|---|---|
| SendGrid | Transactional email | US |
| Twilio | SMS / phone OTP (Sprint 6) | US |
| Cloudflare | CDN + DNS + edge cookies | Global |
| Anthropic | LLM inference (no-train contract) | US |
| GitHub | Source code hosting (no user data) | US |
| RunPod | Per-report ephemeral compute sandbox | US |
| PayPal | Credit purchases | US |
Need a signed DPA?
Customers on the Team plan or above can request a signed Data Processing Agreement.
View / sign DPA →