> ## Documentation Index
> Fetch the complete documentation index at: https://docs.founder-sherpa.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Data Protection

> How Founder Sherpa protects your data — including how interview content is handled by our AI providers.

## Last updated: June 4, 2026

Founder Sherpa is an early-stage company, and we take the security of your data
seriously from day one. We are not yet SOC 2 certified — that work is on our
roadmap — but we've built the platform on security-first foundations and want to
be transparent about exactly how your data is protected today. This page explains
the concrete protections we have in place right now, including how your interview
content is handled when our AI features process it.

If you're evaluating Founder Sherpa for a pilot and need more detail than this
page provides, we're happy to talk directly — see [Questions or a deeper
review?](#questions-or-a-deeper-review) at the bottom.

## How your data is protected

<CardGroup cols={2}>
  <Card title="Tenant isolation" icon="shield-halved">
    Your workspace's data is walled off from every other customer's. Isolation is
    enforced at the database layer through Postgres Row-Level Security — not just
    in application code — so a user can only ever read data from a workspace they
    are a member of.
  </Card>

  <Card title="Encryption everywhere" icon="lock">
    All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) by our
    managed database provider. Your interview content is never stored or
    transmitted in the clear.
  </Card>

  <Card title="Access control" icon="user-shield">
    Role-based permissions (owner / admin / member) govern who can do what in a
    workspace. Accounts require email verification, passwords must meet a strength
    policy, and sensitive credentials are kept strictly server-side — never
    exposed to the browser.
  </Card>

  <Card title="Trusted infrastructure" icon="server">
    Founder Sherpa runs on Vercel (hosting) and Supabase (database, auth, and
    file storage). Both are established, enterprise-grade providers that maintain
    their own SOC 2 compliance, so your data sits on professionally secured
    infrastructure.
  </Card>
</CardGroup>

Uploaded interview transcripts are stored in a private storage bucket that is
locked down by the same workspace-membership rules as the rest of your data — they
are not publicly accessible and cannot be reached by other customers.

## AI and your interview data

Our AI features — transcript parsing, evidence analysis, hypothesis quality
checks, the CoPilot assistant, and others — are powered by leading AI providers
(currently **OpenAI's API**, with **Anthropic** also supported). To generate
these insights, the relevant content (for example, the text of an interview
transcript or an evidence note) is sent to the provider for processing.

We know this is the question pilots care about most, so here is exactly what that
means for your data:

<Note>
  **OpenAI does not use data submitted through its API to train its models.**
  This is a commitment OpenAI makes for all API customers — content sent through
  the API is excluded from model training by default. Anthropic makes the same
  commitment for its API.
</Note>

* **AI never runs on its own.** Content is only sent to the provider as the result
  of an action you take — uploading a transcript, clicking an analysis button, or
  asking the CoPilot a question. There is no background processing of your data.
* **Only what's needed is sent.** AI requests include the specific content for the
  task at hand, not your entire workspace.
* **The same access rules apply.** AI-generated results are written back into your
  workspace and protected by the same isolation and access controls as everything
  else.

### Bring your own key

Organizations can optionally run AI on **their own OpenAI or Anthropic API key**
instead of our platform keys (see [AI Models &
Bring-Your-Own-Key](/docs/features/bring-your-own-key)). When you do, your key is
**encrypted at rest with AES-256-GCM**, the encryption key never lives in the
database, and the key is **never returned to the browser** — it's decrypted only
server-side at the moment an AI request is made, and only organization owners and
admins can manage it. Inference still runs through our backend over your data; a
bring-your-own-key setup simply means token usage is billed by your provider
rather than against your AI credits.

We are actively working to formalize this relationship further with a data
processing agreement and zero-retention terms — see our [security
roadmap](#our-security-roadmap) below.

## Our subprocessors

We rely on a small set of reputable third-party providers to operate Founder
Sherpa. Each maintains its own security and compliance program.

| Provider      | What it's used for                           | Notes                                                                                             |
| ------------- | -------------------------------------------- | ------------------------------------------------------------------------------------------------- |
| **Supabase**  | Database, authentication, and file storage   | Hosts your core data; SOC 2 compliant; encrypts at rest and in transit                            |
| **OpenAI**    | AI analysis of interview content             | Processes content you submit for AI features; does not train on API data                          |
| **Anthropic** | AI analysis of interview content (when used) | Alternative AI provider, used when selected or via bring-your-own-key; does not train on API data |
| **Vercel**    | Application hosting and delivery             | Serves the application; SOC 2 compliant                                                           |
| **Stripe**    | Billing and payments                         | Handles all payment data directly; PCI-DSS compliant. We never store your card details            |
| **Resend**    | Transactional and notification emails        | Sends account, invitation, and digest emails                                                      |
| **Sentry**    | Error monitoring and reliability             | Helps us detect and fix issues quickly                                                            |

## Our security roadmap

We're transparent about where we're investing next:

* **SOC 2 readiness** — formalizing our controls and policies toward a SOC 2
  examination.
* **Formal AI data agreements** — pursuing a data processing agreement and
  zero-retention terms with our AI provider.
* **Telemetry and PII hardening** — tightening how diagnostic and monitoring tools
  handle any personal information.
* **Customer DPAs** — we can provide a data processing agreement on request for
  pilot and paid customers.

## Questions or a deeper review?

If your team needs additional detail, a data processing agreement, or a security
questionnaire completed as part of your evaluation, reach out to
[hello@expertcollective.org](mailto:hello@expertcollective.org) and we'll be glad to help.
