Underwrote.AI

Security

Effective May 8, 2026

This page summarizes how Underwrote.AI handles your data and the controls that protect it. For a buyer's diligence pack, this plus our Privacy Policy and Terms covers the standard ground; reach out at security@underwrote.ai for anything not covered here.

Subprocessors

Underwrote.AI runs on a managed infrastructure stack. Every vendor below is SOC 2 Type II certified by an independent auditor; links go to each vendor's public trust page where you can request the report.

  • Vercelapplication hosting, serverless functions, edge network, and global CDN. SOC 2 Type II, ISO 27001.
  • SupabasePostgres database, authentication, file storage, and row-level-security policy enforcement. SOC 2 Type II, HIPAA-eligible.
  • Stripepayment processing, subscription billing, and customer portal. SOC 2 Type II, PCI DSS Level 1.
  • AnthropicLLM inference for document extraction (offering memos, STAR reports, P&Ls) and IC memo generation. SOC 2 Type II. Zero-data-retention configured for our API key — uploads and memo content are not used to train models.
  • Resendtransactional email (password reset, signup confirmation, trial reminders). SOC 2 Type II.
  • Sentryapplication error monitoring (server + client). Configured to scrub request bodies; no deal data sent.. SOC 2 Type II, ISO 27001.
  • PostHogproduct analytics (consent-gated; off by default until the user accepts the cookie banner). SOC 2 Type II.

Authentication & account safety

Authentication is handled by Supabase Auth (Postgres-backed, bcrypt-hashed passwords). The platform supports:

  • Email + password sign-in with rate-limited login attempts
  • OAuth via Google, Microsoft, and LinkedIn (no password stored on our side for OAuth users)
  • TOTP multi-factor authentication with backup recovery codes (settings → Security tab)
  • Self-service password reset via email-confirmed link
  • Self-service account deletion with full data purge

Every authenticated request passes through a server-side proxy that revalidates the user's Supabase session on each call. The proxy is configured to fail open with a degraded-auth header on transient infrastructure outages so an upstream Supabase incident doesn't silently log everyone out, but mutating API routes still require a fresh session.

Data isolation

Every row in our Postgres database — deals, profiles, paid exports, IC memos, integrations — has a Postgres row-level-security (RLS)policy that constrains access to the row's owning workspace. RLS runs inside the database; even a bug in our application code that issued an unscoped query would be denied by Postgres before any data left the server. Supabase Storage uses analogous bucket policies for file access.

Data flows

What goes where

  • Deal inputs & outputs stay in our Postgres database (Supabase, US region). Never sent to Anthropic.
  • Uploaded documents(offering memos, STAR reports, P&Ls) are stored privately in Supabase Storage scoped to your workspace, then sent to Anthropic for extraction. Anthropic returns the extracted fields; we store those alongside the deal. Anthropic does not retain or train on this data (zero- data-retention API key).
  • IC memo content is sent to Anthropic for generation, then stored in Postgres. Same zero-retention posture.
  • Payment data never touches our servers. Card entry happens directly in Stripe Checkout / Stripe Customer Portal; we receive only the customer ID, subscription status, and webhook events.
  • Email sends (password reset, trial reminders) flow through Resend. Email content is generated server-side with no third-party templating service.

What we don't collect

  • Payment card details (Stripe-only; we never see card numbers, CVVs, or full expiry dates)
  • Social Security numbers, government IDs, or banking credentials (none required by the product)
  • Browser session replays, keystroke recording, or video monitoring

Encryption

  • In transit: TLS 1.2+ on every connection (browser ↔ Vercel ↔ Supabase ↔ subprocessors). HSTS enabled.
  • At rest: AES-256 on Supabase Postgres and Supabase Storage. AES-256 on Vercel deployment artifacts.
  • Secrets: API keys and webhook secrets stored in Vercel Environment Variables (encrypted at rest, decrypted only at function invocation). No secrets in the source repo.

Application controls

  • Rate limiting on every mutating API route (deal creation, proforma generation, document upload, address search, account export, listing handoffs). Limits enforced atomically via Postgres RPC to prevent race conditions.
  • Stripe webhook signature verification on every payment event before it touches the database. Idempotent handlers — duplicate deliveries converge to the same state.
  • Engine fail-loud — proforma calculation errors surface to the user as an explicit retry modal instead of silently degrading to mock data. Errors are captured in Sentry with deal context but no input values.
  • Content Security Policy headers restrict executable script sources and embedded frame ancestors.

Operational posture

Backups

Postgres database is on Supabase's point-in-time recovery tier with 7-day retention. Database recovery procedure is documented internally and exercised at least annually.

Monitoring & incident response

Application errors are surfaced in Sentry within seconds of occurrence. Vercel platform incidents are surfaced via vercel-status.com. If you're experiencing an outage, our latest status is at underwrote.ai/status. For security incidents involving customer data, we will notify affected accounts by email within 72 hours of confirmation, in line with GDPR Article 33.

Reporting a vulnerability

If you believe you've found a security vulnerability, email security@underwrote.ai with steps to reproduce. We don't currently run a paid bug bounty; we'll acknowledge receipt within two business days and credit researchers in this section's changelog if they want public attribution. Please don't exfiltrate customer data, run automated scans against production, or test against accounts other than your own.

Compliance roadmap

Underwrote.AI is a small team building toward institutional usage. Our current posture relies on the SOC 2 Type II certifications of our subprocessors (listed above) — all customer data lives on infrastructure that is itself SOC 2 audited. We do not yet hold an Underwrote-issued SOC 2 report; we will publish a roadmap and target date here once we have engaged an auditor. If your diligence requires our own SOC 2 report or a signed DPA today, reach out at security@underwrote.ai.

HomePrivacyTermsScopesupport@underwrote.ai