Security Overview & Pilot Framework

Architecture, Data Boundaries, & Risk Controls

March 2026

SECURITY OVERVIEW

INFRASTRUCTURE 

• Hosted on Heroku (AWS US-East) • Managed PostgreSQL • AWS S3 object storage 

Primary Region: AWS US-East (N. Virginia)

ENCRYPTION 

• Encryption at rest • TLS in transit • AES-256 S3 encryption

TENANT ISOLATION 

• Logical tenant scoping • Cross-tenant access is restricted via tenant-scoped application logic.

AI BOUNDARY 

• Retrieval-based architecture • Only relevant fragments sent to OpenAI • No training on customer data • Data submitted via OpenAI API is not used for model training (per provider policy)

SECURITY OVERVIEW

AUTHENTICATION & ACCESS 

• Password + Google OAuth 

• Role-based access control (RBAC)

LOGGING 

• Application and platform logs 

• Audit logging in development

CURRENT

SOC 2 not yet certified

ROADMAP

SOC 2 TYPE I → TYPE II

ARCHITECTURE & DATA BOUNDARIES 

Internal Boundary Application + Tenant-Scoped Database Storage Boundary Encrypted S3 + Encrypted Postgres AI Boundary Fragment Retrieval + Stateless Model Invocation 

PILOT OPERATING PARAMETERS

INTENDED MATERIALS 

• CIMs 

• Financial models 

• Diligence reports 

• IC preparation materials

DATA CLASSIFICATION 

• May contain executive names and business contact information 

• No PHI 

• No PCI 

• No consumer financial account data 

• No production integrations

Pilot operates under confidential business information classification.

RISK CONTAINMENT FRAMEWORK 

• Tenant-scoped logical isolation 

• Role-based access control 

• Fragment-based AI retrieval only 

• No full repository transmission 

• No automated outbound integrations 

• Data deletion available upon request 

• Pilot can be discontinued at any time

Operational security controls in place with structured compliance roadmap underway.