Security — VentureScope

VentureScope is built to handle sensitive deal materials — pitch decks, financial models, cap tables. This page explains exactly how your data is protected, who can access it, and what happens to it over its lifetime.

1. Data Architecture & Isolation

All customer data is stored in Supabase (PostgreSQL database + S3-compatible object storage), hosted on AWS infrastructure in the United States. Your organization's data is logically isolated from every other organization through Row Level Security (RLS) policies enforced at the database layer — not just application code. Even if application logic were bypassed, RLS policies prevent cross-organization data access at the database level.

Uploaded files (pitch decks, financial models, etc.) are stored in private Supabase Storage buckets, organized by organization and company ID. Buckets are private by default — no public access. Signed, time-limited URLs are generated for authorized access only.

Database: Supabase PostgreSQL with RLS on every table containing customer data
File storage: Private Supabase Storage buckets (org-scoped, no public access)
Application hosting: Vercel (serverless, no persistent disk access to customer data)
No customer data is written to application logs in plaintext

2. Encryption

In Transit

All connections use TLS 1.2 or higher. HTTP connections are redirected to HTTPS.
HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age, includeSubDomains, and preload.
API calls to AI providers (Anthropic, etc.) are made over TLS-encrypted connections.

At Rest

Supabase encrypts database storage using AES-256 at the infrastructure level.
Supabase Storage (uploaded files) is encrypted at rest using AES-256.
BYOK API Keys: If you provide your own AI provider API keys, they are encrypted at the application layer using AES-256-GCM before being stored in the database. A random initialization vector is generated per key to prevent pattern analysis. The encryption master key is stored as an environment secret, not in the database. Only the last 4 characters of each key are stored in plaintext for display purposes.

3. Access Control & Authentication

No passwords stored: Authentication is via Google OAuth, GitHub OAuth, or email magic links (Resend). We never store your password.
Session management: Sessions are stored in the database and revoked immediately upon account deletion or explicit sign-out.
Role-based access: Organization roles (owner, admin, member) control what actions each user can take. Assessment sharing is explicit — you choose who can view, comment, or edit each assessment.
Row Level Security: Every database table containing customer data has RLS policies. Users can only query and mutate their own organization's data.
Public report links: When you generate a public shareable link, it uses a 144-bit random token and supports optional password protection (SHA-256 hashed) and expiry dates.

4. Document Handling Lifecycle

Here is exactly what happens when you upload a document to VentureScope:

Upload: Your file is uploaded directly to a private Supabase Storage bucket via a short-lived signed URL. The file is stored under your organization's path (org_id/company_id/filename) and is not accessible to any other organization.
Text Extraction: Our server (Vercel serverless) downloads the file into memory and extracts text using appropriate libraries (PDF, Word, Excel, PowerPoint). For image-heavy documents, image content may be sent to Anthropic's Claude Vision API for OCR — this is covered under our AI processing terms. The extracted text is stored in your document record.
AI Analysis: When you run an assessment, the extracted text from your selected documents is sent to the AI provider (Anthropic by default, or your chosen BYOK provider) via a TLS-encrypted API call. The AI generates the assessment and returns results to our server. Document content is not retained by the AI provider for training (see Section 5).
Storage: The assessment content, scores, and recommendation are stored in your Supabase database, scoped to your organization. The original uploaded file remains in your private storage bucket.
Deletion: When you delete a document, both the original file in storage and the extracted text in the database are removed. When you close your account, all documents, assessments, and associated data are permanently deleted within 30 days (with a grace period for recovery).

5. AI Processing & Model Training

When you run an assessment, the extracted text from your documents is sent to an AI API for analysis. By default, this is Anthropic's Claude API.

Anthropic's position on training data:

Anthropic's commercial API terms explicitly state that they do not use inputs and outputs from their API for training their models. Your deal documents are processed to generate a response and are not retained by Anthropic for training purposes. See Anthropic's Privacy Policy for full details.

If you use Bring Your Own Key (BYOK) to connect a different AI provider (OpenAI, Google Gemini, xAI), your document content is sent to that provider instead. Each provider's API privacy terms govern how they handle that data. We recommend reviewing your chosen provider's API privacy policy before uploading highly sensitive materials.

6. Subprocessors

The following third-party vendors process or may access customer data on our behalf. We conduct due diligence on each vendor's security posture before onboarding them.

Vendor	Purpose	Location	Certification
Anthropic	AI analysis (document processing, assessment generation)	USA	API inputs not used for training
Supabase	Database and file storage	USA (AWS us-east-1)	SOC 2 Type II
Vercel	Application hosting and CDN	USA + global edge	SOC 2 Type II
Stripe	Payment processing	USA	PCI DSS Level 1
Sentry	Error monitoring (no PII in error payloads)	USA	SOC 2 Type II
PostHog	Product analytics	USA	SOC 2 Type II
Resend	Transactional email delivery	USA	SOC 2 Type II

7. Security Headers & Browser Protections

HSTS: HTTP Strict Transport Security enforced with 2-year duration, includeSubDomains, preload
X-Frame-Options: DENY — prevents clickjacking by blocking iframe embedding
X-Content-Type-Options: nosniff — prevents MIME type sniffing
Referrer-Policy: strict-origin-when-cross-origin — limits referrer header leakage
Content Security Policy: Restricts resource loading to trusted origins
Permissions-Policy: Camera, microphone, and geolocation access disabled

8. Compliance & Certifications

SOC 2: VentureScope is currently working toward SOC 2 Type II certification. Our core infrastructure providers (Supabase, Vercel, Stripe, Sentry) are SOC 2 Type II certified.
GDPR: We honor data access, correction, deletion, and portability requests. Account deletion is processed within 30 days. Data export is available from your account settings.
CCPA: California residents may request access to or deletion of their personal data. We do not sell personal information.

For enterprise compliance requirements, including Data Processing Agreements (DPAs), visit our DPA page or contact legal@venturescope.ai.

9. Incident Response

In the event of a security incident affecting customer data, we will notify affected organizations within 72 hours of becoming aware of the breach, consistent with GDPR requirements. Notifications will include the nature of the incident, categories of data affected, likely consequences, and steps taken or proposed to address the incident.

10. Responsible Disclosure

If you discover a security vulnerability in VentureScope, please report it to us before public disclosure so we have the opportunity to remediate it. We appreciate security researchers who responsibly disclose vulnerabilities.

security@venturescope.ai

Please include: affected URL or component, steps to reproduce, potential impact, and your contact information. We request 90 days to remediate before public disclosure.

11. Questions & Contact

For security questions or to report a vulnerability, contact security@venturescope.ai.

For privacy questions, contact privacy@venturescope.ai.

For DPA and compliance inquiries, contact legal@venturescope.ai.

1. Data Architecture & Isolation

Database: Supabase PostgreSQL with RLS on every table containing customer data
File storage: Private Supabase Storage buckets (org-scoped, no public access)
Application hosting: Vercel (serverless, no persistent disk access to customer data)
No customer data is written to application logs in plaintext

2. Encryption

In Transit

All connections use TLS 1.2 or higher. HTTP connections are redirected to HTTPS.
HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age, includeSubDomains, and preload.
API calls to AI providers (Anthropic, etc.) are made over TLS-encrypted connections.

At Rest

Supabase encrypts database storage using AES-256 at the infrastructure level.
Supabase Storage (uploaded files) is encrypted at rest using AES-256.
BYOK API Keys: If you provide your own AI provider API keys, they are encrypted at the application layer using AES-256-GCM before being stored in the database. A random initialization vector is generated per key to prevent pattern analysis. The encryption master key is stored as an environment secret, not in the database. Only the last 4 characters of each key are stored in plaintext for display purposes.

3. Access Control & Authentication

No passwords stored: Authentication is via Google OAuth, GitHub OAuth, or email magic links (Resend). We never store your password.
Session management: Sessions are stored in the database and revoked immediately upon account deletion or explicit sign-out.
Role-based access: Organization roles (owner, admin, member) control what actions each user can take. Assessment sharing is explicit — you choose who can view, comment, or edit each assessment.
Row Level Security: Every database table containing customer data has RLS policies. Users can only query and mutate their own organization's data.
Public report links: When you generate a public shareable link, it uses a 144-bit random token and supports optional password protection (SHA-256 hashed) and expiry dates.

4. Document Handling Lifecycle

Here is exactly what happens when you upload a document to VentureScope:

Upload: Your file is uploaded directly to a private Supabase Storage bucket via a short-lived signed URL. The file is stored under your organization's path (org_id/company_id/filename) and is not accessible to any other organization.
Text Extraction: Our server (Vercel serverless) downloads the file into memory and extracts text using appropriate libraries (PDF, Word, Excel, PowerPoint). For image-heavy documents, image content may be sent to Anthropic's Claude Vision API for OCR — this is covered under our AI processing terms. The extracted text is stored in your document record.
AI Analysis: When you run an assessment, the extracted text from your selected documents is sent to the AI provider (Anthropic by default, or your chosen BYOK provider) via a TLS-encrypted API call. The AI generates the assessment and returns results to our server. Document content is not retained by the AI provider for training (see Section 5).
Storage: The assessment content, scores, and recommendation are stored in your Supabase database, scoped to your organization. The original uploaded file remains in your private storage bucket.
Deletion: When you delete a document, both the original file in storage and the extracted text in the database are removed. When you close your account, all documents, assessments, and associated data are permanently deleted within 30 days (with a grace period for recovery).

5. AI Processing & Model Training

When you run an assessment, the extracted text from your documents is sent to an AI API for analysis. By default, this is Anthropic's Claude API.

Anthropic's position on training data:

6. Subprocessors

The following third-party vendors process or may access customer data on our behalf. We conduct due diligence on each vendor's security posture before onboarding them.

Vendor	Purpose	Location	Certification
Anthropic	AI analysis (document processing, assessment generation)	USA	API inputs not used for training
Supabase	Database and file storage	USA (AWS us-east-1)	SOC 2 Type II
Vercel	Application hosting and CDN	USA + global edge	SOC 2 Type II
Stripe	Payment processing	USA	PCI DSS Level 1
Sentry	Error monitoring (no PII in error payloads)	USA	SOC 2 Type II
PostHog	Product analytics	USA	SOC 2 Type II
Resend	Transactional email delivery	USA	SOC 2 Type II

7. Security Headers & Browser Protections

HSTS: HTTP Strict Transport Security enforced with 2-year duration, includeSubDomains, preload
X-Frame-Options: DENY — prevents clickjacking by blocking iframe embedding
X-Content-Type-Options: nosniff — prevents MIME type sniffing
Referrer-Policy: strict-origin-when-cross-origin — limits referrer header leakage
Content Security Policy: Restricts resource loading to trusted origins
Permissions-Policy: Camera, microphone, and geolocation access disabled

8. Compliance & Certifications

SOC 2: VentureScope is currently working toward SOC 2 Type II certification. Our core infrastructure providers (Supabase, Vercel, Stripe, Sentry) are SOC 2 Type II certified.
GDPR: We honor data access, correction, deletion, and portability requests. Account deletion is processed within 30 days. Data export is available from your account settings.
CCPA: California residents may request access to or deletion of their personal data. We do not sell personal information.

For enterprise compliance requirements, including Data Processing Agreements (DPAs), visit our DPA page or contact legal@venturescope.ai.

9. Incident Response

10. Responsible Disclosure

security@venturescope.ai

Please include: affected URL or component, steps to reproduce, potential impact, and your contact information. We request 90 days to remediate before public disclosure.

11. Questions & Contact

For security questions or to report a vulnerability, contact security@venturescope.ai.

For privacy questions, contact privacy@venturescope.ai.

For DPA and compliance inquiries, contact legal@venturescope.ai.

Security at VentureScope

1. Data Architecture & Isolation

2. Encryption

In Transit

At Rest

3. Access Control & Authentication

4. Document Handling Lifecycle

5. AI Processing & Model Training

6. Subprocessors

7. Security Headers & Browser Protections

8. Compliance & Certifications

9. Incident Response

10. Responsible Disclosure

11. Questions & Contact

Security at VentureScope

1. Data Architecture & Isolation

2. Encryption

In Transit

At Rest

3. Access Control & Authentication

4. Document Handling Lifecycle

5. AI Processing & Model Training

6. Subprocessors

7. Security Headers & Browser Protections

8. Compliance & Certifications

9. Incident Response

10. Responsible Disclosure

11. Questions & Contact