SECURITY

How we handle your data.

Source documents encrypted at rest. Row-level security on every database table. Lender access only with explicit per-deal authorization. We do not sell, share, or aggregate deal data.

Last updated: April 28, 2026 Version: 1.2 Reachable: security@acren.ai

What we encrypt

Source documents and structured fields.

Offering memos, T-12s, rent rolls, sponsor PFS, extracted financial fields. Encrypted at rest with AES-256 in Supabase managed Postgres + Storage. Encrypted in transit with TLS 1.3 between every hop.

What we restrict

Access by row, not by table.

Postgres row-level security policies enforce that every read query filters by deal owner identity. Lender access is granted per deal, per submission — never broad, never inferred.

What we never do

Sell, aggregate, or train on deal data.

No data brokerage. No anonymized aggregate sale. Anthropic's data policy on Claude API explicitly excludes customer content from model training. We don't even mine your deals to improve our scoring rubric.

01Where data lives

Encryption, hosting, region.

Encryption at rest

AES-256

Source documents and database fields encrypted at rest in Supabase managed Postgres. Storage objects encrypted with server-side keys rotated by Supabase.

Encryption in transit

TLS 1.3

Every request between browser and server, server and Supabase, server and Anthropic, server and Resend runs over TLS 1.3 with HSTS preload on acren.ai.

Hosting region

United States East

Supabase project hosted in us-east-1 (AWS Northern Virginia). Vercel application served from global edge with US-East primary. No data leaves United States soil.

Authentication

Email + OAuth + magic link

Supabase Auth with bcrypt-hashed passwords, Google OAuth, Microsoft OAuth, and email magic link. Session tokens are short-lived; refresh tokens are revocable from settings.

02Who can see what

Access is explicit.

Per-deal authorization, no broad access.

DEAL OWNER → Full read and write on every field, every document, every quote

FOUNDER → Admin read across all deals to enable financing routing and quote entry

AUTHORIZED LENDER → Read access to a specific deal package only after operator explicitly submits to that lender

EVERYONE ELSE → No access. Row-level security enforced in Postgres.

03Subprocessor registry

Every vendor that touches your data.

All vendors named below are bound by data-processing agreements. We notify by email at least fourteen days before adding, removing, or materially changing a subprocessor.

Vendor	Purpose	Data class	Region	DPA
Supabase Postgres + storage	Database, storage, authentication	Account · Deal · Documents	US-East-1	v2024.06
Vercel Application hosting	Application runtime, edge cache	No persisted user data	Global edge, US primary	v2024.04
Anthropic Claude Sonnet 4.6	Document extraction and scoring	Source documents (transient)	United States	v2025.01
Resend Transactional email	Outbound email delivery	Email + recipient name	United States	v2024.08
Sentry Error tracking	Application error capture	Stack traces (PII scrubbed)	US Cloud	v2024.11
PostHog Product analytics	Page views, click events, errors	Anonymized usage events	US Cloud	v2024.10
Stripe Pro tier billing (post-beta)	Payment processing	Card data, billing address	United States	v2024.05

04Retention matrix

How long we keep what.

Data class	Active retention	After deletion request	Backup window
Source documentsOM, T-12, rent roll, PFS	While account active	30-day soft delete, then permanent purge	14-day point-in-time recovery
Extracted financial fieldsCap, occupancy, NOI	While account active	30-day soft delete, then permanent purge	14-day point-in-time recovery
Account dataEmail, name, company	While account active	30-day soft delete, then permanent purge	14-day point-in-time recovery
Authentication tokensSession + refresh tokens	1 hour (session), 30 days (refresh)	Immediate revocation	None
Email logsResend transactional records	30 days	Purged on schedule	None
Analytics eventsPostHog page + click events	12 months	30-day purge of identified events	None
Error tracesSentry exception captures	90 days	Purged on schedule	None

05Compliance

Where we are today.

Honest about what's implemented versus what's on the roadmap. We don't claim certifications we don't have.

Encryption at rest

LIVE

Encryption in transit

LIVE

Row-level security

LIVE

Audit logging

LIVE

Data-processing agreement (DPA)

LIVE — request via security@acren.ai

Vendor security review packet

LIVE — request via security@acren.ai

SOC 2 Type 1

Series A timeline

SOC 2 Type 2

Post Series A

Penetration testing

Series A

Breach notification commitment

72 hours from confirmed breach

06Disclosure

Found something? Tell us.

Security disclosures, vulnerability reports, or data handling questions: security@acren.ai. We acknowledge within one business day, prioritize within five, and patch verified issues on a rolling cadence with credit attribution to the reporter.

PGP key + security.txt available at acren.ai/.well-known/security.txt