Security & trust
Built to be run on. Honest about where we are.
Your proposals carry your clients’ names, scopes, and signatures. We protect them with encryption, least-privilege access, and a full audit trail — and we tell you plainly what’s certified versus in progress.
Current posture
SOC 2 Type IIIn progress
HIPAA controlsReady
Encryption in transit (TLS)Live
Tenant isolation (RLS)Live
How we protect your work
The controls underneath every proposal.
Encrypted in transit
TLS in transit (HTTPS everywhere with HSTS). Signed documents and payment results are tenant-isolated and access-controlled.
Least-privilege access
A server-side trust boundary the browser can’t forge: every request is authorized against workspace membership. Internal access is logged.
Tenant isolation by RLS
Postgres row-level security with a non-superuser role and FORCE RLS scopes every query to your workspace — the boundary lives in the database, not just the code.
Append-only audit trail
Views, edits, signatures, and payments are recorded with who, when, and from where. Acceptance is hash-chained and UPDATE/DELETE are revoked at the DB.
Payments via Stripe
Card data goes straight to Stripe (PCI DSS Level 1). We never see or store full card numbers — only the result of a charge.
Hardened by default
Argon2id password hashing, security headers + CSP, rate limiting with Retry-After, and short-lived secure session cookies — on every request.
Compliance, stated plainly.
We won’t claim a badge we haven’t earned. Here’s exactly where each framework stands today.
SOC2
In progressSOC 2 Type II
Trust Services Criteria controls implemented · audit in progress
HIPAA
In progressHIPAA
HIPAA-ready controls in place · BAA with host in progress
GDPR
CompliantGDPR
EU data processing · export & erasure honored · DPA on request
CCPA
CompliantCCPA
California consumer privacy · access & deletion rights
PCI
LivePCI DSS
Handled by Stripe (Level 1) · we never store card numbers
“In progress” means the technical controls are implemented and operating and we can share readiness evidence under NDA — the third-party audit and host BAA are underway, not yet complete. We update this page the day a status changes.
Subprocessors
The vendors that help us run the service, what they do, and where they operate.
Cloud hosting
Application hosting & encrypted storage
Stripe
Payments processing (PCI DSS Level 1)
Anthropic
AI drafting — no training on your data
Postmark
Transactional email
Cloudflare
CDN & DDoS protection
Your data is yours
You’re never locked in, and your client data is never the product.
You own your content
Proposals, client data, and signatures belong to you — not us. We’re a processor, not an owner.
Export anytime
Pull your proposals, contacts, and signed PDFs whenever you want, in open formats.
Delete means delete
Owner-gated deletion of a proposal, workspace, or account cascades the data out of production, and a retention purge job clears it on schedule.
Never training fodder
Your proposals and client data are never used to train AI models — ours or anyone else’s.
What security teams ask.
Not yet — and we won’t say otherwise. The CC-series controls (access control, encryption, change management, audit logging) are implemented and operating, which puts us at Type I readiness. A Type II audit is in progress. We’ll share our readiness evidence under NDA today and the attestation report the moment it’s issued.
Found something? We want to hear it.
Responsible disclosure is welcomed and rewarded. Reach our security team directly — we read every report.