Trust Center · 01

← Back to Trust Center

Security

EFFECTIVE: MAY 1, 2026 · LAST UPDATED: MAY 1, 2026

Arx is built for early-stage founders. The data you put into Arx — your cap table, your SAFEs, your investor pipeline, your data room, your financial model — is among the most sensitive information your company holds. This page describes the controls we have in place to keep it safe. It is the public-facing companion to our internal security program and policies.

SRVC Technologies Inc. (dba Arx) is the data controller for our marketing site and the data processor for customer workspace data. This document covers our production environment at app.foundersarx.com.

Contents
  1. Our security commitments
  2. Infrastructure & hosting
  3. Encryption & key management
  4. Authentication & access control
  5. Tenant isolation
  6. Application security
  7. Logging & monitoring
  8. Backups & business continuity
  9. Subprocessor management
  10. Personnel security
  11. Secure development
  12. Vulnerability management
  13. Incident response
  14. Compliance roadmap
  15. Contact

1. Our security commitments

We commit to (i) protecting workspace data with industry-standard controls; (ii) isolating each customer's data from every other customer's data; (iii) maintaining a written security program reviewed at least annually; (iv) notifying affected customers without undue delay following confirmation of a security incident that materially affects their data; and (v) treating customer content as confidential and not using it to train AI models used by other customers.

2. Infrastructure & hosting

The production environment runs on managed cloud providers that are themselves audited under SOC 2 / ISO 27001:

  • Vercel (US) — Next.js marketing site and web application (foundersarx.com, app.foundersarx.com). HTTPS-only, automatic TLS, DDoS protections, isolated build environments.
  • Railway (US) — Fastify API and background workers (api.foundersarx.com). Container-based isolation, private networking between services, encrypted environment variables.
  • Supabase (US/EU) — managed PostgreSQL, authentication, and object storage. Encryption at rest (AES-256), encrypted backups, point-in-time recovery, network-level isolation per project.

All inbound and outbound traffic uses TLS 1.2 or higher. We do not accept connections on lower protocol versions. HSTS is enabled on all production hosts. There are no on-premise components and no employee laptops store production customer data.

3. Encryption & key management

  • In transit: TLS 1.2+ for every browser, API, integration, and webhook connection. Certificate issuance and renewal handled by Vercel / Railway with automatic rotation.
  • At rest: Supabase encrypts the database and object storage at the disk layer using AES-256. Backups inherit the same encryption.
  • Application-layer encryption: All third-party OAuth tokens we hold on a customer's behalf (Google, Stripe Connect, Zoom, MCP refresh tokens, etc.) are encrypted with AES-256-GCM using a 32-byte key stored outside the database. A token can only be decrypted by the API process holding that key at request time.
  • Secrets: Production secrets live in the hosting providers' encrypted environment variable stores. They are never committed to source control; pre-commit hooks and CI scans block commits that look like secrets.
  • Passwords: Stored as bcrypt hashes by Supabase Auth. We never see plaintext passwords.

4. Authentication & access control

For customers: Sign-in supports email + password, Google OAuth, magic links, and TOTP-based two-factor authentication. Workspace roles (Owner, Admin, Member) gate every mutating action; invites are scoped and revocable. Public sharing surfaces (data room, deck, public booking) require either a per-recipient link or an email-gated viewer session and never expose workspace data beyond what was explicitly shared.

For Arx personnel: Production access is restricted to a small number of named engineers and requires hardware-backed two-factor authentication on every provider console. Each access event is logged at the provider level. Engineers do not have routine access to customer content; ad-hoc access is documented and justified. We do not maintain a customer-support "impersonation" mode.

5. Tenant isolation

Each customer workspace has its own company_id. Every authenticated API request resolves the caller's company on the server side and every read or write is scoped by that identifier. PostgreSQL Row-Level Security policies enforce the same constraint at the database layer, so a defect in application code cannot leak rows belonging to another workspace. Background jobs and AI tool calls carry the same company_id binding. Automated isolation tests run on every pull request and on a daily schedule.

6. Application security

  • Input validation: Every API endpoint is defined by a Zod schema that validates request bodies, query strings, and route params.
  • Output encoding: React encodes all dynamic strings by default; we do not use dangerouslySetInnerHTML on user-provided content. Email templates render through a sanitizer before send.
  • CSRF: The web app uses same-site cookies and JWT bearer auth for cross-origin API calls, eliminating classic CSRF on state-changing routes.
  • Content Security Policy: A strict CSP and other standard headers (HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are set on every response.
  • Rate limiting: Authentication, public booking, and AI endpoints are rate-limited per IP and per workspace.
  • File uploads: Files are scanned for MIME / size limits, stored in Supabase Storage with a per-workspace prefix, and served through signed URLs with short expirations.
  • Watermarks: View-only PDFs shared via the data room are dynamically watermarked with the viewer's email and timestamp.

7. Logging & monitoring

Application logs, request traces, and audit events flow from Vercel and Railway into our observability backend. We retain application logs for 30 days and a per-workspace audit log of mutating actions (who, what, when) for at least 12 months. Alerts page the on-call engineer for error-rate anomalies, authentication abuse, and integration failures. Provider logs (database, storage, authentication) are retained per the provider's retention policy and reviewed during incident response.

8. Backups & business continuity

  • Database: Supabase performs continuous point-in-time backups with at least a 7-day recovery window on the production project.
  • Object storage: Data room and deck files are versioned in Supabase Storage; deletes are soft for the duration of the customer's retention window.
  • Restore testing: We periodically restore a backup into a staging project and verify schema + sample-row integrity.
  • RPO / RTO targets: Recovery Point Objective ≤ 1 hour; Recovery Time Objective ≤ 8 hours for the full production environment, ≤ 1 hour for individual workspace restoration.

9. Subprocessor management

We use a small number of subprocessors to provide the Service. Each subprocessor is bound by a written data processing agreement and is selected for its security posture, contractual commitments, and minimum-access footprint. The current list, including data categories sent to each, is published at /subprocessors. We notify customers in advance of any material change to this list.

10. Personnel security

  • All staff sign confidentiality obligations before being granted any system access.
  • Employment is contingent on satisfactory background screening where local law permits.
  • All staff complete security and privacy training during onboarding and at least annually thereafter.
  • Access is granted on a least-privilege basis and reviewed quarterly. Access is revoked the same day a contract ends.
  • Company-issued workstations use full-disk encryption, screen locks, MDM, and current OS updates.

11. Secure development

Our Secure Software Development Lifecycle (SSDLC) is documented at /sdlc. In summary: protected main branch with mandatory peer review and required CI checks (lint, typecheck, automated test suite, build, Docker validation) before merge; static analysis and dependency scanning on every pull request; production-credential isolation; CI-only deploys with audit trail.

12. Vulnerability management

We accept responsible vulnerability reports at /responsible-disclosure. Internally, we maintain an inventory of dependencies, scan for known vulnerabilities daily, and patch on a severity-based schedule (critical within 7 days, high within 30 days). Infrastructure and dependency management practices are documented at /infrastructure.

13. Incident response

Our incident response process — detection, classification, containment, eradication, recovery, customer notification, and post-mortem — is documented at /incident-response. Confirmed incidents that materially affect customer data trigger written notice to the affected workspace owner without undue delay and, where applicable, within the timeframe required by law.

14. Compliance roadmap

  • GDPR / UK GDPR / Canadian PIPEDA: We process personal data on a defined legal basis, honor data-subject access and deletion requests, and use Standard Contractual Clauses where customer data is transferred outside the EEA / UK.
  • CCPA / CPRA: We do not sell personal information and honor opt-out and deletion rights.
  • SOC 2 Type II: Engagement planned for a future fiscal year. The controls described above map to the AICPA Trust Services Criteria for Security and Confidentiality.
  • Marketplace reviews: The same documented controls support our submissions to the Zoom App Marketplace, Slack App Directory, and Claude Marketplace.

15. Contact

For security questions, vulnerability reports, or to request additional documentation (security questionnaires, SOC 2 progress letter, sub-processor DPAs):

This document is provided for transparency. It is not legal advice and is not a contract; customer-specific terms may apply to enterprise agreements and DPAs.