How we treat your data.

DATA HANDLING

• All customer data encrypted at rest (AES-256) and in transit (TLS 1.3).
• Hosted on Vercel (frontend) and Supabase (backend) — both SOC 2 Type II certified providers.
• Per-customer data isolation via separate Supabase projects (Phase 1) or Row-Level Security (Phase 2).
• US-based hosting only.

ACCESS CONTROLS

• Multi-factor authentication required on all admin accounts.
• Role-based permissions per customer deployment.
• Audit logs of all admin actions retained 12 months minimum.
• Access reviews quarterly.

AI DATA HANDLING

• Customer data sent to Anthropic API is governed by Anthropic's enterprise data processing agreement.
• No customer data is used for model training (per Anthropic policy).
• AI outputs are advisory; irreversible actions require human approval.

COMPLIANCE ROADMAP

• SOC 2 Type II audit target: Q4 2026.
• HIPAA-eligible architecture available for healthcare customers (Rivet Healthcare reference).
• Cyber liability insurance: $1M coverage in place.

INCIDENT RESPONSE

• Security incident response plan documented.
• Customer notification within 72 hours of confirmed material incident.
• Post-incident write-up shared with affected customers.

YOUR DATA RIGHTS

• You own your data.
• Full export available at any time, in any format.
• Retention configurable per customer.
• Deletion within 30 days of account termination.

SECURITY CONTACT

• security@valtryn.ai for security disclosures.
• Encrypted communication via PGP available on request.