Last updated: June 4, 2026
Founder Sherpa is an early-stage company, and we take the security of your data seriously from day one. We are not yet SOC 2 certified — that work is on our roadmap — but we’ve built the platform on security-first foundations and want to be transparent about exactly how your data is protected today. This page explains the concrete protections we have in place right now, including how your interview content is handled when our AI features process it. If you’re evaluating Founder Sherpa for a pilot and need more detail than this page provides, we’re happy to talk directly — see Questions or a deeper review? at the bottom.How your data is protected
Tenant isolation
Your workspace’s data is walled off from every other customer’s. Isolation is
enforced at the database layer through Postgres Row-Level Security — not just
in application code — so a user can only ever read data from a workspace they
are a member of.
Encryption everywhere
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) by our
managed database provider. Your interview content is never stored or
transmitted in the clear.
Access control
Role-based permissions (owner / admin / member) govern who can do what in a
workspace. Accounts require email verification, passwords must meet a strength
policy, and sensitive credentials are kept strictly server-side — never
exposed to the browser.
Trusted infrastructure
Founder Sherpa runs on Vercel (hosting) and Supabase (database, auth, and
file storage). Both are established, enterprise-grade providers that maintain
their own SOC 2 compliance, so your data sits on professionally secured
infrastructure.
AI and your interview data
Our AI features — transcript parsing, evidence analysis, hypothesis quality checks, the CoPilot assistant, and others — are powered by leading AI providers (currently OpenAI’s API, with Anthropic also supported). To generate these insights, the relevant content (for example, the text of an interview transcript or an evidence note) is sent to the provider for processing. We know this is the question pilots care about most, so here is exactly what that means for your data:OpenAI does not use data submitted through its API to train its models.
This is a commitment OpenAI makes for all API customers — content sent through
the API is excluded from model training by default. Anthropic makes the same
commitment for its API.
- AI never runs on its own. Content is only sent to the provider as the result of an action you take — uploading a transcript, clicking an analysis button, or asking the CoPilot a question. There is no background processing of your data.
- Only what’s needed is sent. AI requests include the specific content for the task at hand, not your entire workspace.
- The same access rules apply. AI-generated results are written back into your workspace and protected by the same isolation and access controls as everything else.
Bring your own key
Organizations can optionally run AI on their own OpenAI or Anthropic API key instead of our platform keys (see AI Models & Bring-Your-Own-Key). When you do, your key is encrypted at rest with AES-256-GCM, the encryption key never lives in the database, and the key is never returned to the browser — it’s decrypted only server-side at the moment an AI request is made, and only organization owners and admins can manage it. Inference still runs through our backend over your data; a bring-your-own-key setup simply means token usage is billed by your provider rather than against your AI credits. We are actively working to formalize this relationship further with a data processing agreement and zero-retention terms — see our security roadmap below.Our subprocessors
We rely on a small set of reputable third-party providers to operate Founder Sherpa. Each maintains its own security and compliance program.| Provider | What it’s used for | Notes |
|---|---|---|
| Supabase | Database, authentication, and file storage | Hosts your core data; SOC 2 compliant; encrypts at rest and in transit |
| OpenAI | AI analysis of interview content | Processes content you submit for AI features; does not train on API data |
| Anthropic | AI analysis of interview content (when used) | Alternative AI provider, used when selected or via bring-your-own-key; does not train on API data |
| Vercel | Application hosting and delivery | Serves the application; SOC 2 compliant |
| Stripe | Billing and payments | Handles all payment data directly; PCI-DSS compliant. We never store your card details |
| Resend | Transactional and notification emails | Sends account, invitation, and digest emails |
| Sentry | Error monitoring and reliability | Helps us detect and fix issues quickly |
Our security roadmap
We’re transparent about where we’re investing next:- SOC 2 readiness — formalizing our controls and policies toward a SOC 2 examination.
- Formal AI data agreements — pursuing a data processing agreement and zero-retention terms with our AI provider.
- Telemetry and PII hardening — tightening how diagnostic and monitoring tools handle any personal information.
- Customer DPAs — we can provide a data processing agreement on request for pilot and paid customers.