Security & compliance

What ships, what’s in progress

Verdict reads pitch decks and writes memos. That means a fund’s deal flow passes through this system. This page documents what protects the data, what doesn’t, and the honest gap between the two.

Tenant isolation

Every hot table that holds fund data carries Postgres row-level security (RLS) policies scoping reads + writes to the owning user. Cross-fund retrieval is forbidden at the database layer, not just the application layer.

DataScope
Decks & memosuser_id = auth.user.id
Semantic search indexuser_id = auth.user.id
Fund profileuser_id = auth.user.id
Per-fund calibrationuser_id = auth.user.id
Self-audit memoryuser_id = auth.user.id
Memo feedbackuser_id = auth.user.id
Enriched fund profileServer-only (RLS denies all anon/authed reads)

Server-side reads go through a service-role client only when the request is owner-scoped by the application layer (e.g., the analysis pipeline that generates a memo on the owning user’s behalf).

Encryption

Deck files in Supabase Storage are encrypted at rest with AES-256, and all traffic to and from the application runs over TLS 1.3. Payment details go straight to Stripe through tokenized checkout, so raw card numbers never reach Verdict infrastructure.

Authentication and access control

Accounts are managed by Clerk on production keys served from clerk.useverdict.io. Every request to a data route resolves the signed-in user on the server before any record is read or written, and that scoping is enforced a second time at the database layer by row-level security.

The Supabase service-role key that grants server-side database access lives only in Vercel environment secrets, never in source control, and stays separate from the dedicated secret used to sign internal chain-trigger tokens.

Data retention tiers

Decks can be flagged at upload time. Each tier has a different storage lifetime for the raw PDF; the generated memo always persists for the account lifetime so the GP can return to it. Tier selection is at /dashboard/new under “Retention”.

Standard

90 days

Default. Raw deck PDF retained 90 days then auto-purged by daily cron. Memo + analysis preserved.

Sensitive

24 hours

Raw deck PDF auto-purged 24 hours after the memo generates. Memo retained. Used for decks under confidentiality.

Proprietary

Pending

Per-deck symmetric key encryption + 0-hour purge on completion. Awaiting per-deck KMS implementation; ship target Q3 2026.

Full retention language for memo feedback and self-audit memory sits in the Data Processing Addendum section 04.

Deletion and data rights

You can delete any single memo and its source deck from the report viewer at any time, and the deck file leaves Storage in the same operation. Deleting your account removes your fund profile, every memo, every uploaded deck, your feedback rows, your Clerk session, and your Stripe customer record. The moment an account is marked for deletion it loses access to its data, ahead of the hard purge that finishes within seven days.

Memos export to PDF straight from the viewer, and a structured export of your account data is available on request. The full rights language, including the GDPR and CCPA specifics, sits in the Privacy Policy.

No training on your data

Pitch decks, generated memos, and feedback rows are never used to train any foundation model. Verdict’s model provider, Anthropic, processes each call under commercial API terms that prohibit training on customer data; inputs and outputs may be retained for up to 30 days for trust-and-safety review, then deleted. Per-fund calibration doescompound inside the fund’s own account, RLS-scoped to that fund only.

Sub-processors

Verdict runs on a small set of infrastructure providers, and your data reaches each one only as far as normal product operation requires. The complete list, with a link to every provider’s own privacy commitments, is kept current in the Privacy Policy. The summary here is what a security reviewer usually asks for first.

ProviderWhat they handle
ClerkAuthentication. Email address and OAuth tokens.
SupabaseDatabase and deck storage. Encrypted at rest (AES-256), TLS 1.3 in transit, hosted on AWS us-east-1.
StripePayments. Tokenized card details through Stripe Checkout; raw card numbers never reach Verdict.
AnthropicClaude model inference. Decks and prompts are processed for the call and retained by Anthropic up to 30 days for trust-and-safety, then deleted; no training on customer data.
Voyage AIEmbeddings for the calibration memory. Receives structured corrections only, never raw deck content.
CloudConvertConverts PPTX and DOCX uploads to PDF, then deletes them on its side.
ResendTransactional email. Your email address and the message body.
PostHogProduct analytics. Pageviews and feature usage, suppressed when your browser sends Do Not Track.
SentryError monitoring. Sanitized stack traces with tokens and uploaded content scrubbed.
VercelHosting and serverless functions. Standard request logs.
TavilyWeb search for fund-partner research (Fundraise Pass and VC tiers). Receives the partner names and links you enter, never your pitch decks or fund-confidential data.
GoogleCalendar and Gmail metadata, opt-in per user, available after Google OAuth verification.

Audit trail

Every memo run leaves machine-readable evidence the GP can audit post-hoc. No hidden state; no “trust us, the model said so.”

In progress

What’s not done yet, with honest timing. Procurement teams reading this should treat these as commitments, not marketing.

SOC 2 Type II

Q3 2026 target

Vanta or Drata-tracked. Honest framing: no auditor engaged yet. Compounding policy work is documented but unattested.

Penetration test

Post-Series-A

Third-party engagement scheduled after the first institutional round closes. Internal threat modeling and dependency audits are continuous.

Proprietary tier (per-deck KMS)

Q3 2026

Per-deck symmetric key encryption with 0-hour deck purge on memo completion. Currently the Sensitive tier (24-hour purge) is the strongest available.

Incident response & questions

Security concern, suspected incident, or procurement questionnaire? security@useverdict.io. 24-hour acknowledgment SLA. Incident-response runbook is documented internally; outbound notifications follow GDPR Article 33 timing (72 hours from awareness, when applicable).

A machine-readable contact for security researchers is published at /.well-known/security.txt.