Your data is safe.
That's not negotiable.
Enterprise-grade security isn't an add-on. It's the foundation. Every feature is built with privacy, encryption, and compliance baked in.
SOC 2 Infrastructure
Vercel + Neon
GDPR Compliant
By Architecture
Zero Data Retention
AI Processing
256-bit AES
Encryption
Tenant Isolation
Defense-in-Depth
Data Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database connections are encrypted end-to-end. No plaintext secrets in logs or error reports.
- AES-256 encryption at rest
- TLS 1.3 for all data in transit
- Encrypted database connections
- No secrets in logs or error traces
Tenant Isolation
Every organization's data is fully isolated at the application layer. Our layered security approach ensures no cross-organization data access is possible, even in error conditions.
- Application-layer tenant isolation
- Defense-in-depth architecture
- Scoped queries on every database call
- Validated on writes, enforced on reads
AI Privacy (Zero Data Retention)
When our AI matching engine processes member profiles, we never send personal data to language models. Profiles are anonymized before processing, and we enforce Zero Data Retention on all LLM calls.
- No names or emails sent to AI models
- Anonymized profile processing
- Zero Data Retention (ZDR) enforced
- Prompts/outputs not stored or used for training
Access Control
Role-based access control with least-privilege defaults. Super admins, org admins, program admins, and members each see only what they need. All admin actions are logged.
- Role-based access control (RBAC)
- Least-privilege defaults
- Immutable audit trail for admin actions
- Magic link auth (no passwords to leak)
Infrastructure
Hosted on Vercel's edge network (SOC 2 Type II certified) with automatic DDoS protection. Database on Neon Serverless Postgres (SOC 2 Type II certified) with automated backups and point-in-time recovery.
- Vercel edge network, SOC 2 Type II certified
- Neon Serverless Postgres, SOC 2 Type II certified
- Automated daily backups with point-in-time recovery
- Rate limiting on all API endpoints
Compliance
Built with compliance in mind from day one. Our infrastructure providers maintain SOC 2 Type II and ISO 27001 certifications. We implement GDPR-compliant data handling, data portability on request, and full deletion within 30 days of contract termination.
- GDPR-compliant data handling by architecture
- Data portability and export on request
- Full deletion within 30 days of termination
- Data Processing Agreement (DPA) available
AI that respects privacy
When our matching engine processes profiles, we take extreme care to protect member data.
Anonymized Profiles
Names become 'the Mentee' and 'Mentor A'. Emails and phone numbers are stripped from bios before AI processing.
Zero Data Retention
All LLM API calls enforce ZDR. Prompts and outputs are not stored, cached, or used for model training by providers.
Post-Processing Only
Real names are substituted back only after AI generates match rationales. The model never sees identifying information.
Questions about security?
We're happy to walk through our security architecture with your IT or compliance team.