CAPA Health Check
Start assessment

Security

We designed this page for security reviewers and for anyone who wants the straight story—without marketing fluff.

Encryption

Data at rest in our cloud providers is protected with AES-256 (or stronger equivalents offered by the same platforms). Traffic between your browser and our app uses TLS 1.3 where supported by the client and edge network.

Access controls

Application databases are accessed with service role keys on the server only—there is no anonymous public SQL against production tables. Where we use Supabase, Row Level Security is enabled for defense in depth. Humans with production access are limited to people who need it to operate the product.

Auto-deletion

Questionnaire inputs auto-delete after 30 days. PDFs generated for email delivery auto-delete after 90 days. Email engagement records are retained 13 months, then removed unless law requires otherwise.

Sub-processors

Primary vendors that may process personal data:

  • Anthropic — LLM inference for narrative analysis.
  • Resend — outbound email.
  • Vercel — hosting and edge.
  • Supabase — database and auth-related infrastructure as configured.

SOC 2

Not yet certified. Planned path: SOC 2 Type 1 by month 9, Type 2 by month 18 (internal roadmap subject to change—we will update this page when status changes).

HIPAA and PHI

This product is not HIPAA compliant and is not intended for protected health information. Do not paste PHI into any free-text fields. If you are unsure whether something counts as PHI, do not submit it here.

Contact

Security questions and coordinated disclosure: security@playbookbysme.com.

Deletion request

Tell us what to delete (questionnaire data, PDFs, engagement records, or all). We will confirm by email when we can.