🚧 Developer Preview β€” This site is still under active development. Some features may be incomplete or change without notice.
← Back to home

Security Overview

For government IT departments and security reviewers. This page describes how your data is stored, transmitted, and processed.

🏒
Hosted on
AWS US-East-1 (N. Virginia)
πŸ”’
Encryption
TLS 1.2+ in transit AES-256 at rest
πŸ“
Data residency
United States only

Infrastructure

Website and API β€” Vercel

The web application and backend API are hosted on Vercel's global edge network, with serverless functions deployed in the US region. Vercel is SOC 2 Type 2 certified and ISO 27001 compliant.

Database β€” Supabase on AWS US-East-1

All account data, exercise history, and session records are stored in a Supabase PostgreSQL database running on Amazon Web Services in the US-East-1 region (Northern Virginia). Data does not leave US infrastructure. Supabase is SOC 2 Type 2 certified.

Row-level security (RLS) policies ensure that each user can only access their own data. Database connections use TLS encryption.

Payments β€” Stripe

Payment card data is handled entirely by Stripe, a PCI-DSS Level 1 certified payment processor. We never see, transmit, or store raw payment card numbers. We store only the Stripe customer ID and subscription status.

Encryption

  • βœ“In transit: All connections to the website and API use TLS 1.2 or higher. Plain HTTP connections are automatically redirected to HTTPS.
  • βœ“At rest: Supabase encrypts all database data at rest using AES-256. Backups are also encrypted.
  • βœ“Passwords: User passwords are hashed using bcrypt via Supabase Auth. We never store plaintext passwords.

AI Processing β€” What Anthropic Receives

When a user clicks β€œGenerate AI Debrief,” the following data is sent to Anthropic's API:

  • The titles and descriptions of action cards placed on the exercise board
  • Any notes or justifications the team added to placed cards
  • Player self-assessment text (strengths, improvements, additional notes)
  • Numeric ratings (1–5 scale) from player assessments
  • A list of injects triggered during the exercise

What is NOT sent to Anthropic: user names, email addresses, organization names, account identifiers, or any other personally identifiable information.

Under Anthropic's current API terms, prompts and responses are not used to train AI models. Anthropic's data processing practices are governed by their privacy policy at anthropic.com/privacy.

Note for government users: We recommend not including classified, FOUO, law enforcement-sensitive, or personally identifiable information in exercise notes, as this content is transmitted to Anthropic when generating a debrief. The AI debrief is an optional feature β€” exercises can be completed without it.

Access Controls

  • βœ“Row-level security: Database access is restricted by Supabase RLS policies. Users can only read and write their own records.
  • βœ“API authentication: All API endpoints that access account data require a valid authentication token. Tokens are short-lived and refreshed automatically.
  • βœ“Admin access: Internal administrative access to the database is restricted to the sole operator and requires multi-factor authentication.

Data Retention and Deletion

  • Active accounts: Data retained for the life of the account.
  • Cancelled accounts: Data retained 90 days post-cancellation, then deleted.
  • Demo sessions: No data is stored. The free demo runs entirely in the browser.
  • Contact form messages: Retained up to 12 months.
  • Data deletion requests: Fulfilled within 30 days of written request.

Incident Response

In the event of a security incident affecting user data, we will notify affected users by email within 72 hours of discovery, as required by applicable law. Notifications will describe the nature of the incident, data affected, and steps taken or recommended.

To report a security vulnerability, contact carleycritser@gmail.com with β€œSecurity Report” in the subject line. We take all reports seriously and will acknowledge receipt within 2 business days.

Questions

For security reviews, DPA requests, or questions from IT departments: carleycritser@gmail.com

We are a small operator. We respond to all security and compliance inquiries personally and do not use automated responses for these requests.