Security FAQ
Vendor security questionnaire
Common security questions pre-answered for your firm's vendor review process. Download a summary to attach to your vendor file.
Do you store uploaded documents?
No. All processing occurs in volatile memory (RAM). Files are never written to disk, database, or any persistent storage system.
What encryption do you use?
TLS 1.3 for data in transit. There is no data at rest because nothing is stored.
Do you use third-party sub-processors?
Yes. Anthropic (AI-powered document processing) with contractual zero data retention. Supabase (authentication and billing metadata only — no document content touches Supabase).
Do you have SOC 2 certification?
Not yet. We are on a SOC 2 Type II roadmap. Our zero-retention architecture eliminates the primary risk SOC 2 addresses — stored data breach — because no customer data exists to steal.
Where are your servers located?
Supabase Edge Functions run on AWS infrastructure. Anthropic API processes on US-based servers. All data transit occurs within encrypted channels.
Do you use advertising trackers?
No. We use Google Ads conversion tracking only (page-level, no user-level tracking). No Google Analytics, no Facebook Pixel, no remarketing cookies, no fingerprinting.
What is your data retention period?
Zero. Documents exist only during the active conversion session (typically 5–30 seconds). After the converted file is delivered to the user's browser, all memory is deallocated.
Do you train AI models on uploaded data?
No. Anthropic's Claude API has a blanket policy of never training on data submitted through their API. This is both a contractual and technical guarantee.
What happens if there's a breach?
Our zero-retention architecture means a breach of our systems would expose no customer financial data, because none exists to steal. Account credentials (email + hashed password) are the only user data stored, protected by Supabase's SOC 2 compliant infrastructure.
Can you sign a BAA or DPA?
Contact us at help@statementtoexcel.io to discuss Business Associate Agreements, Data Processing Agreements, or other vendor security documentation.
Need additional security documentation or want to discuss a BAA/DPA?
help@statementtoexcel.io