Security

Last reviewed: April 2026 — Internal review by Soft Solutions Partners

This page describes how ValueArchitect.ai protects your organization's data. We believe in transparency about what we do, what we don't do yet, and what's on our roadmap.

Infrastructure

Database & Backend — Supabase (PostgreSQL on AWS)

All data is stored in a managed PostgreSQL database hosted by Supabase on Amazon Web Services (AWS us-east-1, Northern Virginia). Supabase is SOC 2 Type II certified. Data is encrypted at rest using AES-256 and in transit using TLS 1.3.

Frontend Hosting — Netlify

The application is served via Netlify's global CDN. HTTPS is enforced on all connections. Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are applied to all pages.

AI Processing — Anthropic Claude API

AI-generated reports and analysis are processed via Anthropic's API. Your data is sent to Anthropic's servers to generate the specific output requested and is not retained by Anthropic for model training under their API terms of service. No data is stored by Anthropic beyond the duration of the API call.

Data Isolation

Every organization's data is isolated using PostgreSQL Row Level Security (RLS). This is a database-level control — not just an application-level check — that ensures queries can only return data belonging to the authenticated user's organization. This is enforced on every table, every query, including administrative operations through the application.

Users from Organization A cannot access, view, or query data from Organization B under any circumstances through the application layer.

Authentication

Email-based magic link login (passwordless) — links are single-use and expire within 1 hour
Email and password login with minimum 12-character requirement
Leaked password protection via HaveIBeenPwned database (checked at signup)
Session tokens expire after 1 hour with silent refresh while active
Inactivity timeout after 30 minutes
All authentication events are logged with timestamp and IP

✓ Active

⏳ Coming soon — Google and Microsoft OAuth

PENDING: Google and Microsoft OAuth (SSO via Gmail / Microsoft 365) is on the roadmap for the next release. This will allow users to sign in with their existing corporate identity without creating a separate password.

Access Control

ValueArchitect.ai uses role-based access control within each organization:

Super Admin (Soft Solutions Partners only) — cross-organization administration. No client can be assigned this role.
Admin — full access within their organization, can invite and remove users
Member — full read/write access, cannot manage users
Viewer — read-only access to their organization's data

Only Soft Solutions Partners can create Admin accounts for new organizations. Admins can invite Members and Viewers within their organization.

Access Control — Pilot Phase

✓ Invite-only registration

Public registration is disabled. Every user must be invited by an organization admin or by Soft Solutions Partners. Invite links expire after 7 days and are single-use.

Audit Logging

All material data actions (create, update, delete) are recorded in an immutable audit log with the user, timestamp, and action. Authentication events (login, logout, failed attempts, password resets) are also logged. Logs are retained for a minimum of 90 days.

What Data We Collect

ValueArchitect.ai stores the following categories of data entered by your organization:

AI program data: strategies, initiatives, use cases, KPIs, risks, capabilities, stakeholders
Financial data: AI investment estimates, cost entries, productivity baselines
Team data: AI team member names and roles (not personal HR data)
Documents: files uploaded by users (during pilot, document uploads are limited)
Account data: user email addresses, names, and roles

We do not collect or store: Protected Health Information (PHI), Personally Identifiable Information beyond basic account data, payment card information, or Social Security Numbers.

Compliance Status

✓ Supabase (infrastructure) — SOC 2 Type II certified

✓ Data encrypted at rest (AES-256) and in transit (TLS 1.3)

✓ Organization-level data isolation via Row Level Security

⏳ HIPAA — Not yet compliant

PENDING: HIPAA compliance requires a Business Associate Agreement (BAA) with our infrastructure provider. This is available on Supabase's paid tier and is on our roadmap before general availability. We recommend healthcare organizations do not store PHI during the pilot phase.

⏳ SOC 2 (application layer) — Planned post-pilot

PENDING: A SOC 2 Type I audit of the ValueArchitect.ai application layer is planned for post-pilot. Our infrastructure provider (Supabase) is already SOC 2 Type II certified, which covers the database and hosting layer.

⏳ Penetration testing — Planned pre-GA

PENDING: A formal third-party penetration test is planned before general availability.

Data Deletion and Export

You can request a complete export of your organization's data at any time by contacting us at hello@softsolutionspartners.com. We fulfill export requests within 5 business days.

You can request complete deletion of your organization's data at any time. Deletion requests are fulfilled within 10 business days. Deleted data is removed from our production database immediately and from backups within 30 days.

Incident Response

In the event of a data security incident, we will notify affected organizations within 72 hours of becoming aware of the incident. Security concerns can be reported to hello@softsolutionspartners.com.

Questions

If you have security questions not answered here, please contact us at hello@softsolutionspartners.com. We respond to security inquiries within one business day.