InvestLyftInvestLyftSign in

Trust & Security

InvestLyft is built to handle sensitive financial data -- cap tables, investor information, fund operations, and legal documents. Security is foundational, not an add-on.

Data Encryption

  • All data encrypted at rest using AES-256 via Supabase (powered by AWS)
  • All data encrypted in transit using TLS 1.2+ (HTTPS enforced on every endpoint)
  • Database connections secured with SSL certificates
  • File storage (data room documents) encrypted at rest in Supabase Storage
  • Authentication tokens and session data never stored in plain text

Infrastructure

  • Hosted on Vercel's edge network (global CDN, automatic DDoS protection)
  • Database hosted on Supabase (managed PostgreSQL on AWS)
  • Row-Level Security (RLS) enforced on every tenant-scoped table -- data isolation is database-level, not application-level
  • Environment secrets managed via Vercel's encrypted environment variable system
  • No customer data stored on developer machines or in source control

Application Security

  • Multi-tenant architecture with strict data isolation via PostgreSQL RLS policies
  • Role-based access control (RBAC) with 8 scoped roles across 4 tiers (system, partner, tenant, investor)
  • Feature gating enforced at middleware level -- unauthorized access returns 403
  • All API routes verify authentication before data access
  • Input validation on all system boundaries
  • CSRF protection via SameSite cookie attributes
  • Content Security Policy headers enforced

Data Residency & Privacy

  • Primary data hosted in US regions (AWS us-east-1 via Supabase)
  • GDPR-aware cookie consent with granular opt-in/opt-out controls
  • Users can export all personal data (CSV download of 30+ tables)
  • Account deletion with 30-day grace period and full data removal
  • No customer data sold to or shared with third parties
  • Third-party processors: Supabase (database), Stripe (payments), Resend (email), Anthropic/OpenAI (AI features -- no training on customer data)

Incident Response

  • Unified audit log tracks all administrative actions with user, timestamp, and context
  • Real-time monitoring via Vercel and Supabase dashboards
  • Commitment to notify affected users within 72 hours of a confirmed data breach
  • Post-incident review process with root cause analysis and prevention measures

Responsible Disclosure

  • Security researchers can report vulnerabilities to security@investlyft.com
  • We commit to acknowledging reports within 48 hours
  • We will not pursue legal action against good-faith security researchers
  • We will credit researchers (with permission) when vulnerabilities are resolved

Compliance Roadmap

We are actively working toward formal compliance certifications. Our current architecture and practices are designed with these standards in mind.

SOC 2 Type IIGDPRCCPAISO 27001

Questions about our security practices? security@investlyft.com