Skip to main content

Last updated: June 4, 2026

Founder Sherpa is an early-stage company, and we take the security of your data seriously from day one. We are not yet SOC 2 certified — that work is on our roadmap — but we’ve built the platform on security-first foundations and want to be transparent about exactly how your data is protected today. This page explains the concrete protections we have in place right now, including how your interview content is handled when our AI features process it. If you’re evaluating Founder Sherpa for a pilot and need more detail than this page provides, we’re happy to talk directly — see Questions or a deeper review? at the bottom.

How your data is protected

Tenant isolation

Your workspace’s data is walled off from every other customer’s. Isolation is enforced at the database layer through Postgres Row-Level Security — not just in application code — so a user can only ever read data from a workspace they are a member of.

Encryption everywhere

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) by our managed database provider. Your interview content is never stored or transmitted in the clear.

Access control

Role-based permissions (owner / admin / member) govern who can do what in a workspace. Accounts require email verification, passwords must meet a strength policy, and sensitive credentials are kept strictly server-side — never exposed to the browser.

Trusted infrastructure

Founder Sherpa runs on Vercel (hosting) and Supabase (database, auth, and file storage). Both are established, enterprise-grade providers that maintain their own SOC 2 compliance, so your data sits on professionally secured infrastructure.
Uploaded interview transcripts are stored in a private storage bucket that is locked down by the same workspace-membership rules as the rest of your data — they are not publicly accessible and cannot be reached by other customers.

AI and your interview data

Our AI features — transcript parsing, evidence analysis, hypothesis quality checks, the CoPilot assistant, and others — are powered by leading AI providers (currently OpenAI’s API, with Anthropic also supported). To generate these insights, the relevant content (for example, the text of an interview transcript or an evidence note) is sent to the provider for processing. We know this is the question pilots care about most, so here is exactly what that means for your data:
OpenAI does not use data submitted through its API to train its models. This is a commitment OpenAI makes for all API customers — content sent through the API is excluded from model training by default. Anthropic makes the same commitment for its API.
  • AI never runs on its own. Content is only sent to the provider as the result of an action you take — uploading a transcript, clicking an analysis button, or asking the CoPilot a question. There is no background processing of your data.
  • Only what’s needed is sent. AI requests include the specific content for the task at hand, not your entire workspace.
  • The same access rules apply. AI-generated results are written back into your workspace and protected by the same isolation and access controls as everything else.

Bring your own key

Organizations can optionally run AI on their own OpenAI or Anthropic API key instead of our platform keys (see AI Models & Bring-Your-Own-Key). When you do, your key is encrypted at rest with AES-256-GCM, the encryption key never lives in the database, and the key is never returned to the browser — it’s decrypted only server-side at the moment an AI request is made, and only organization owners and admins can manage it. Inference still runs through our backend over your data; a bring-your-own-key setup simply means token usage is billed by your provider rather than against your AI credits. We are actively working to formalize this relationship further with a data processing agreement and zero-retention terms — see our security roadmap below.

Our subprocessors

We rely on a small set of reputable third-party providers to operate Founder Sherpa. Each maintains its own security and compliance program.
ProviderWhat it’s used forNotes
SupabaseDatabase, authentication, and file storageHosts your core data; SOC 2 compliant; encrypts at rest and in transit
OpenAIAI analysis of interview contentProcesses content you submit for AI features; does not train on API data
AnthropicAI analysis of interview content (when used)Alternative AI provider, used when selected or via bring-your-own-key; does not train on API data
VercelApplication hosting and deliveryServes the application; SOC 2 compliant
StripeBilling and paymentsHandles all payment data directly; PCI-DSS compliant. We never store your card details
ResendTransactional and notification emailsSends account, invitation, and digest emails
SentryError monitoring and reliabilityHelps us detect and fix issues quickly

Our security roadmap

We’re transparent about where we’re investing next:
  • SOC 2 readiness — formalizing our controls and policies toward a SOC 2 examination.
  • Formal AI data agreements — pursuing a data processing agreement and zero-retention terms with our AI provider.
  • Telemetry and PII hardening — tightening how diagnostic and monitoring tools handle any personal information.
  • Customer DPAs — we can provide a data processing agreement on request for pilot and paid customers.

Questions or a deeper review?

If your team needs additional detail, a data processing agreement, or a security questionnaire completed as part of your evaluation, reach out to hello@expertcollective.org and we’ll be glad to help.