Security & Compliance
Where we stand today, and where we're headed.
Audity is built for consultants handling sensitive client information. This page summarizes how we protect customer data today and the compliance milestones we are working toward over the next 24 months.
1. Current security posture
Authentication & access control
Authentication is handled by Clerk. Multi-factor authentication is available to every user, sessions are managed with short-lived JWTs, and administrative routes are protected at the middleware layer. Feature-level access is enforced through a role and feature-flag system that is covered by a dedicated test suite.
Data storage & encryption
Customer data is stored in Supabase Postgres in US regions. Row-Level Security is enabled on every tenant table and verified by an automated test suite. Data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher.
Infrastructure & hosting
The application runs on Fly.io, which operates under SOC 2 Type II at the platform level. Environments are isolated and promoted through a controlled release process with containerized deployments.
Secrets & key management
All credentials are injected through environment variables. No secrets are stored in the codebase. Rotation procedures and an incident response playbook are documented internally and reviewed as posture evolves.
Application security
Inbound webhooks from Clerk and Stripe are verified by signature. API routes are protected and tested. Row-Level Security and feature-access tests run in CI on every change.
Monitoring & incident response
PostHog captures product events and errors. We commit to notifying affected customers within 24 hours of confirming a data breach, in line with our incident response playbook.
Backups & recovery
Supabase provides managed daily backups of the primary database. Restore procedures are tested as part of internal operations.
Responsible disclosure
If you believe you have found a security issue, please email [email protected]. We acknowledge reports within one business day.
2. Subprocessors
Audity relies on the following subprocessors to deliver the service. Each vendor is covered by its own terms and privacy commitments, and we review these as our compliance program matures.
| Subprocessor | Purpose | Data accessed | Region |
|---|---|---|---|
| Clerk | Authentication & MFA | Account credentials, session tokens | US |
| Supabase | Primary database & file storage | All customer data | US |
| Fly.io | Application hosting | Request logs, deployed code | US (Chicago) |
| Stripe | Payment processing | Billing info, payment methods | US / global |
| Paddle | Merchant of record & tax handling | Billing info, tax residency | US / global |
| Resend | Transactional email | Email address, message content | US |
| PostHog | Product analytics & session replay | Usage events, session recordings | US |
| OpenAI | LLM inference | Prompts and context | US |
| Anthropic | LLM inference | Prompts and context | US |
| Google Generative AI | LLM inference | Prompts and context | US |
| Mistral | LLM inference | Prompts and context | EU |
| N8N + Gamma | Workflow & presentation generation | Discovery outputs | US / EU |
3. Data handling
- We collect account information, business documents, interview responses, and product usage data.
- Customer data lives in US-based Supabase Postgres with Row-Level Security applied per tenant.
- Retention is tied to the active subscription and detailed in our Privacy Policy.
- Export and deletion requests are handled through [email protected].
- Customers retain all rights to their data. Audity acts as a processor, not an owner.
- We do not train AI models on customer data. AI providers process data according to their enterprise API terms, and we do not opt into any provider training programs.
4. Compliance roadmap, next 24 months
We are on a deliberate path toward formal certification. This roadmap reflects what we are working on today, not a marketing wish list.
- Privacy Policy and Terms of Service published
- Row-Level Security enforced across all tenant tables
- MFA available to every user via Clerk
- SOC 2 readiness and gap assessment
- Formal written security policies: access control, incident response, vendor management
- Automated dependency and vulnerability scanning in CI
- SOC 2 Type I report
- Third-party penetration test with a public summary
- Formal vendor risk management program
- SOC 2 Type II report
- Continuous compliance monitoring
- Customer-facing trust center with live control evidence
5. Frequently asked questions
6. Contact
For security questionnaires or responsible disclosure, reach out to us directly.
This page is updated as our security posture evolves. Last updated April 15, 2026.