PledgeOFF
Security

Your data is yours.

We handle ideas that haven't shipped yet. That data is sensitive by definition. Here's exactly how we protect it.

How we protect your data
Encryption in transit
All data is transmitted over TLS 1.2+. Every API call, every webhook, every browser session — encrypted end-to-end.
Encryption at rest
Data stored in Supabase (Postgres on AWS) encrypted at rest with AES-256. GitHub OAuth tokens additionally encrypted at application layer with AES-256-GCM.
Authentication
Email/password, Google OAuth, and GitHub OAuth via Supabase Auth. Short-lived JWTs. TOTP two-factor authentication available for all accounts.
Row-level security
Every database table has Postgres RLS policies enforced at the database layer. Users can only access their own data — regardless of application code.
API key security
API keys are hashed with SHA-256 before storage. Plaintext shown once at creation, never stored. Compromised keys revoked instantly.
Secret scanning
GitHub repository has secret scanning enabled. Dependabot runs weekly. Critical CVEs patched within 24 hours.
Access control
Production database access requires MFA and is restricted to named individuals. No shared credentials. Access reviewed quarterly.
Data residency
All data processed and stored in the EU (AWS eu-central-1). No transfer outside EEA without appropriate safeguards.
SOC 2 roadmap

We are working toward SOC 2 Type II certification.

LiveStructured audit logging
LiveUptime monitoring (BetterStack + Sentry)
LiveRow-level security on all tables
LiveDependency scanning (Dependabot)
LiveEncryption at rest + application-layer token encryption
LiveIncident runbook
PlannedFormal security policy documentation
PlannedPenetration test (third party)
PlannedSOC 2 Type I audit
PlannedSOC 2 Type II certification
Responsible disclosure

If you discover a security vulnerability in PledgeOFF, please report it privately. We acknowledge within 48 hours and resolve confirmed issues within 14 days.

Please do not publicly disclose vulnerabilities until we've had a chance to address them. We credit researchers who report valid issues.

[email protected]
Sub-processorsfull list in Privacy Policy §5
SupabaseDatabase, authentication, storageEU (AWS eu-central-1)
VercelHosting, edge networkGlobal CDN · primary EU
AnthropicAI model inference (Otto assistant)US
GroqAI model inference (signal analysis)US
StripePayment processingUS / EU
ResendTransactional emailUS
SentryError monitoringUS