Trust

Security

Last reviewed May 16, 2026

PEVCOS, Inc.stores sensitive fund-management data — deal pipelines, LP rosters, investment positions, portfolio financials, and synced email. The controls below describe how we protect that data. We tell you what we do, what we don't do yet, and how to reach us if you find a problem.

Authentication

  • Authentication is handled by Supabase Auth, which stores passwords as bcrypt hashes (never plaintext) and supports email/password, magic links, and OAuth providers.
  • Session tokens are short-lived JWTs (1 hour) with refresh tokens stored as HttpOnly, Secure, SameSite cookies.
  • OAuth-via-Google connections (Gmail) use the OAuth 2.0 authorization-code flow with PKCE-equivalent state validation. Refresh tokens are stored encrypted at rest.
  • Optional: leaked-password protection via HaveIBeenPwned is available on Supabase Pro tiers and can be toggled on by an administrator.

Authorization & tenant isolation

  • Every customer's data lives in a shared multi-tenant database with Postgres row-level security (RLS) enforcing isolation.
  • Each row carries a tenant user_id. All read/write/update/delete policies require user_id = get_effective_user_id() — a resolver that maps team-member sessions to their organization's tenant id and prevents cross-tenant reads.
  • Views are declared with security_invoker = on so they inherit underlying-table RLS rather than running as the view owner.
  • Helper functions used by RLS live in a private app_internalschema with EXECUTE revoked from the anon role, so they aren't exposed via the public REST API.
  • The service-role key (bypasses RLS) is used only by tightly-scoped server-side API routes (email sync, file uploads). It never reaches the browser.

Encryption

  • In transit: TLS 1.2+ everywhere. HSTS is enabled on the application origin.
  • At rest: Database volumes are encrypted with AES-256 by Supabase. File storage volumes (logos, document uploads) are encrypted with AES-256 by Supabase Storage.
  • OAuth refresh tokens and any third-party API keys we store are kept in encrypted columns and only decrypted at use time inside server-side functions.

Infrastructure

  • Application hosting: Vercel — SOC 2 Type 2 attested.
  • Database, auth, storage: Supabase — SOC 2 Type 2 attested, hosted on AWS.
  • Region: us-east-1 (Northern Virginia). Single-region today; multi-region failover planned for a future release.
  • Payments: Stripe — PCI DSS Level 1. We never see full card numbers.
  • AI inference: Anthropic (Claude API). Anthropic does not train its models on data sent through the commercial API.
  • Transactional email: Resend — SOC 2 Type 2 attested. Used for auth emails, LP letters, capital-call notices, and contact-form submissions.
  • E-signature (optional): DocuSign — SOC 2 Type 2 attested. Only enabled for users who connect their own DocuSign account; signed PDFs live in DocuSign, not on our infrastructure.

Vendor security

We maintain a current list of subprocessors in our Privacy Policy (Section 6). New subprocessors are reviewed for SOC 2 / ISO 27001 attestation before being added. We notify customers in advance of material changes.

Application security

  • Dependencies are pinned and reviewed; major-version upgrades go through a staging preview before merging to production.
  • Server-side API routes validate user identity before any data access and use parameterized queries to prevent injection.
  • Client-side queries go through the Supabase JS SDK, which uses parameterized PostgREST requests and an authenticated JWT — RLS catches anything that bypasses client-side checks.
  • Cross-Site Request Forgery is mitigated by SameSite cookies plus server-side same-origin checks on sensitive routes.
  • Security headers (HSTS, X-Content-Type-Options, Referrer-Policy) are enforced at the edge by Vercel.

Backups & durability

  • Database backups: daily snapshots on Supabase Pro (7-day retention) with point-in-time recovery available.
  • File storage: replicated across availability zones by Supabase Storage (AWS S3 durability — 99.999999999%).
  • Application code: version-controlled on GitHub with deploy history retained indefinitely on Vercel; you can roll back to any prior deploy in one click.

Monitoring & logging

  • Application logs (function invocations, errors, slow queries) retained in Vercel for 90 days.
  • Database query logs and auth-event logs are accessible in the Supabase dashboard.
  • Supabase's automated security advisor checks the database for RLS gaps, mutable search-path functions, and other configuration risks; we review its output regularly.

Incident response

If we discover a security incident affecting customer data, we will:

  • Contain and remediate the issue immediately;
  • Notify affected customers within 72 hours of discovery where the law requires it (GDPR Article 33);
  • Provide a written post-incident report covering scope, root cause, remediation, and preventive measures.

Responsible disclosure

If you find a vulnerability, please report it to security@pevcos.com with reproduction steps. We commit to:

  • Acknowledge receipt within 2 business days;
  • Provide an initial assessment within 7 business days;
  • Not pursue legal action against good-faith researchers who follow this policy and avoid privacy violations, service disruption, or destruction of data.

Compliance posture

We are an emerging-stage company. We are notcurrently SOC 2 or ISO 27001 certified ourselves, but we build on infrastructure providers (Vercel, Supabase, Stripe) that are. SOC 2 Type 1 is on our roadmap for the next 12 months. If you're an enterprise prospect with specific compliance requirements, contact security@pevcos.com and we'll discuss what we can commit to today.

Contact

Security questions, vulnerability reports, or due-diligence inquiries: security@pevcos.com.