Security and compliance, stated plainly
Raiz’d holds the documents founders share in their most sensitive moments. This page is our full posture — what we do, what we don’t, and what we won’t claim. No badges we haven’t earned.
The honest one-liner: Raiz’d is built on SOC 2 Type II and ISO 27001-certified infrastructure (Supabase, Vercel) and bills through PCI DSS Level 1-certified Stripe. Raiz’d itself holds no certifications yet — our providers’ audits cover their layer, not our application. What covers our layer is the engineering below.
Security controls
Data security
- Encryption in transit (TLS) and at rest (Supabase/Postgres).
- Documents live in a private storage bucket — served only via short-lived signed URLs issued after the viewing session is validated against an active link.
- Integration credentials encrypted with AES-256-GCM before they touch the database.
- Card data never reaches our servers — billing is handled end-to-end by Stripe.
Application security
- Per-account isolation enforced by Postgres row-level security (RLS) on every table.
- Storage paths are owner-namespaced and enforced by database triggers + storage policies, preventing cross-tenant file references.
- API routes that accept a storage path or id verify ownership server-side — client-supplied paths are never trusted.
- Outbound webhooks are HMAC-signed; OAuth state parameters are HMAC-signed with a 10-minute TTL.
Access & sharing controls
- Link-level controls: email gating, expiry, pause/revoke at any time, optional download, optional dynamic viewer watermark.
- Data rooms support an NDA acceptance gate before access.
- Team seats are read-only views of the founder’s workspace with explicit invites and one-click revocation.
- An append-only audit trail records account actions (link created/revoked, document uploaded, invites, exports) — visible to you in Settings.
Infrastructure & operations
- Hosted on Supabase (database, auth, storage — AWS us-west-1) and Vercel (application, edge network, WAF).
- Database migrations are versioned in source control and reviewed before applying.
- Supabase security advisors run against the production database; findings are triaged and documented.
- A vulnerability disclosure policy with a machine-readable security.txt (RFC 9116).
Viewer transparency
Raiz’d is an analytics product, so we hold ourselves to the same transparency we’d want as a viewer: people opening a shared document are told it’s tracked before they view it, tracking is limited to email (when gated), pages viewed, and time per page, and we do not collect viewer IP addresses. When a view comes from an AI agent rather than a human, we store only a coarse label (e.g. “Claude”), never the raw user-agent string. Watermarking is an honest deterrent, clearly labeled in the viewer — we don’t pretend it’s DRM.
Subprocessors
The vendors that process data on our behalf, what they do for us, and their own published certifications:
| Vendor | Role | Their certifications |
|---|---|---|
| Supabase | Database, authentication, document storage (AWS us-west-1) | SOC 2 Type II, ISO 27001, encryption at rest, GDPR |
| Vercel | Application hosting, edge network, WAF | SOC 2 Type II, ISO 27001:2022, PCI DSS v4.0, GDPR + DPA, EU-U.S. DPF |
| Stripe | Payment processing (card data never reaches Raiz’d) | PCI DSS Level 1, SOC 1, SOC 2 Type II |
| Resend | Transactional email and investor-update delivery | SOC 2 Type II, GDPR + DPA, EU-U.S. DPF |
| ConvertAPI | PowerPoint → PDF conversion at upload (file content only, transiently) | See their security documentation |
Integrations you explicitly connect (Slack, Google, QuickBooks, etc.) receive only the data needed for that integration and act on your instruction — they aren’t subprocessors of the core service.
Your data rights
- Export — download everything we hold for your account as JSON, self-serve, from Settings.
- Deletion — delete your account from Settings; it permanently removes your data, stored files, and analytics, and cancels any subscription.
- Retention — we keep data while your account is active, and only what the product needs (no viewer IPs, no card data).
- Questions or manual requests — privacy@raizd.xyz.
Certification roadmap
SOC 2 Type II is planned and customer-driven: when a customer’s procurement requires it, we’ll engage a compliance platform and auditor, and update this page at each real milestone. Until then, you’ll never see “SOC 2 compliant”, “bank-level security”, or an unearned badge here — if a claim on this page is ever ahead of reality, that’s a bug; tell us.
FAQ
Is Raiz’d SOC 2 certified?
No — and we won’t imply otherwise. Raiz’d runs on SOC 2 Type II and ISO 27001-certified infrastructure (Supabase, Vercel), but those are our providers’ audits, not ours. A SOC 2 audit of Raiz’d itself is on our roadmap and will start when customers need it; we’ll only say “in progress” once an auditor is actually engaged.
Where is my data stored?
In Supabase’s AWS us-west-1 region (Oregon, United States): the database, authentication records, and uploaded documents. The application is served globally from Vercel’s edge network.
What do you track about people who view my documents?
The email they enter (if you enabled the email gate), which pages they viewed, and time per page. We tell viewers this before they open a document, and we do not collect viewer IP addresses. We do detect whether a view came from an AI agent rather than a human, and store only a coarse label (e.g. "Claude") — never the raw user-agent string.
Who can see my documents?
Only people with an active link you created, within the controls you set (email gate, expiry, NDA, watermark). The storage bucket is private; files are served exclusively through short-lived signed URLs issued after the viewing session is validated. Raiz’d staff access production data only for support or incident response.
Can I export or delete my data?
Yes, self-serve: Settings → “Export my data” downloads everything as JSON, and “Delete account” permanently removes your account, documents, analytics, and stored files (and cancels any subscription). Or email privacy@raizd.xyz.
Do you offer a DPA?
Yes — our standard Data Processing Addendum is public. To execute a countersigned copy, email legal@raizd.xyz.
How do I report a security vulnerability?
Email security@raizd.xyz. We welcome good-faith research and won’t pursue legal action for it — details and scope are on our security page and in /.well-known/security.txt.
Documents & contact
Privacy policy · Terms of service · Data Processing Addendum · Security & vulnerability disclosure
Security questionnaires, DPA execution, or anything procurement needs: security@raizd.xyz.