Security & compliance
What ships, what’s in progress
Verdict reads pitch decks and writes memos. That means a fund’s deal flow passes through this system. This page documents what protects the data, what doesn’t, and the honest gap between the two.
Tenant isolation
Every hot table that holds fund data carries Postgres row-level security (RLS) policies scoping reads + writes to the owning user. Cross-fund retrieval is forbidden at the database layer, not just the application layer.
| Table | Scope |
|---|---|
| reports | user_id = auth.user.id |
| memo_embeddings | user_id = auth.user.id |
| fund_profiles | user_id = auth.user.id |
| fund_calibration_training | user_id = auth.user.id |
| audit_lessons | user_id = auth.user.id |
| memo_feedback | user_id = auth.user.id |
| fund_profile_cache | Server-only (RLS denies all anon/authed reads) |
Server-side reads go through a service-role client only when the request is owner-scoped by the application layer (e.g., the analysis pipeline that generates a memo on the owning user’s behalf).
Data retention tiers
Decks can be flagged at upload time. Each tier has a different storage lifetime for the raw PDF; the generated memo always persists for the account lifetime so the GP can return to it. Tier selection is at /dashboard/new under “Retention”.
Standard
90 days
Default. Raw deck PDF retained 90 days then auto-purged by daily cron. Memo + analysis preserved.
Sensitive
24 hours
Raw deck PDF auto-purged 24 hours after the memo generates. Memo retained. Used for decks under confidentiality.
Proprietary
Pending
Per-deck symmetric key encryption + 0-hour purge on completion. Awaiting per-deck KMS implementation; ship target Q3 2026.
Full retention language including memo_feedback and audit_lessons retention sits in the Data Processing Addendum section 04.
No training on your data
Pitch decks, generated memos, and feedback rows are never used to train any foundation model. Verdict’s LLM provider account runs on the zero-data-retention tier; the model-call boundary is explicit and audited per call in chain_telemetry. Per-fund calibration training doescompound inside the fund’s own account via the fund_calibration_training table, RLS-scoped to that fund only.
Audit trail
Every memo run leaves machine-readable evidence the GP can query post-hoc. No hidden state; no “trust us, the model said so.”
- chain_telemetry: per-call cost, latency, cache hit rate, token usage.
- chain_background_failures: structured failure rows for any task that throws or hits a Zod parse error. Surfaces in the report viewer as a Resume button.
- chain_task_outcomes: per-task lifecycle markers (gate decision · model-call boundaries · database write boundaries) for the founder-mode post-analysis task fanout.
- audit_lessons: self-audit findings that compound across memos. Each new memo reads prior lessons to catch recurring failure modes.
In progress
What’s not done yet, with honest timing. Procurement teams reading this should treat these as commitments, not marketing.
SOC 2 Type II
Q3 2026 targetVanta or Drata-tracked. Honest framing: no auditor engaged yet. Compounding policy work is documented but unattested.
Penetration test
Post-Series-AThird-party engagement scheduled after the first institutional round closes. Internal threat modeling and dependency audits are continuous.
Proprietary tier (per-deck KMS)
Q3 2026Per-deck symmetric key encryption with 0-hour deck purge on memo completion. Currently the Sensitive tier (24-hour purge) is the strongest available.
Incident response & questions
Security concern, suspected incident, or procurement questionnaire? lishaorui82@gmail.com. 24-hour acknowledgment SLA. Incident-response runbook is documented internally; outbound notifications follow GDPR Article 33 timing (72 hours from awareness, when applicable).