# Trust & Security

Last updated: 19 May 2026

## Our security posture in one paragraph

Impactean is built on EU-resident infrastructure (Supabase Postgres in AWS Frankfurt, Resend email in AWS Dublin). Application compute runs on Vercel in Washington, D.C. under EU Standard Contractual Clauses. AI inference runs on OpenAI under SCCs and a no-training contractual commitment. Card data is processed only by Stripe (PCI-DSS Level 1) and never touches our servers. We run no third-party analytics, marketing, or session-replay tools. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). The full list of sub-processors is at /legal/sub-processors.

## Data protection

- **At rest** — AES-256 across Supabase Postgres, Supabase Storage, Resend, Stripe, and OpenAI.
- **In transit** — TLS 1.2 minimum on every public endpoint; HSTS enabled.
- **Passwords** — bcrypt; never logged, never stored in plaintext.
- **Backups** — Supabase Pro point-in-time recovery up to 7 days. Migration to Supabase Enterprise (28+ days PITR, dedicated infrastructure) is planned.
- **Data residency** — Account data, assessment results, coaching conversations, and uploaded files are stored in Frankfurt (EU). Transactional emails are sent from Dublin (EU). Application compute and AI inference run in the US under SCCs.

## Application security

- Supabase Auth with refresh-token rotation; HttpOnly, Secure, SameSite=Lax cookies.
- Postgres Row-Level Security (RLS) on every user-scoped table.
- Service-role database access is restricted to server-side code paths and is audited.
- Stripe Checkout (hosted) for all card capture — we never receive PAN/CVV.
- Webhook signature verification on every Stripe event.
- No third-party JavaScript trackers loaded in the app.
- HTTP security headers: HSTS, X-Content-Type-Options, X-Frame-Options/frame-ancestors, Referrer-Policy, Permissions-Policy, and a Content Security Policy. (See https://securityheaders.com)

## Tracker & scripted telemetry governance

- Internal release checklist blocks marketing tag managers & third‑party session replay consoles across **marketing** (`impactean.com`) and **`app`** bundles.
- Subdomains such as **`blog`** are held to parity when Impactean retains theme/source control.

## Operational security

- **Business continuity** — Backups and restore procedures documented; RPO/RTO aligned with Supabase PITR capabilities.
- **Personnel** — Production access limited to named staff; confidentiality obligations for anyone handling personal data.
- Least-privilege access to production systems; SSO + MFA on all vendor consoles.
- Quarterly internal security reviews.
- Dependency scanning and `npm audit` on every release.
- Production secrets stored only in Vercel and Supabase; never committed to Git.
- Incident response process with a 72-hour GDPR notification commitment.

## AI safety

- We use OpenAI's API for inference. API content is not used to train OpenAI models.
- Standard API: up to 30 days retention by OpenAI for abuse monitoring; we are migrating to OpenAI Enterprise with Zero Data Retention.
- Coaching chat transcripts are not shared with employers. Business plans may receive programme-level analytics (scores, commitment summaries, engagement metrics) under the DPA — not coaching messages.
- Our coaching prompts are reviewed against ICF coaching ethics and refreshed periodically.
- We do not use coaching content for any purpose other than operating the coaching feature for that user.
- The AI Coach is not a therapist or crisis service. We do not monitor chats in real time or provide emergency intervention; users in crisis should contact local emergency services.

## SOC 2 readiness (not yet certified)

Impactean **does not currently hold a SOC 2 Type I or Type II report**, and we are **not** in an active SOC 2 or ISO 27001 certification audit. We design and operate controls to align with the AICPA Trust Services Criteria (security, availability, and confidentiality). Customers may rely on:

| Control area | Our current practice | SOC 2 TSC alignment (informative) |
|---|---|---|
| Access control | SSO + MFA on production vendors; least-privilege; RLS on user data; no shared production passwords | CC6 |
| Encryption | TLS 1.2+ in transit; AES-256 at rest on primary stores; bcrypt passwords; Stripe-hosted payments | CC6 |
| Change management | Git-based releases; dependency scanning; staged deploys on Vercel | CC8 |
| Vendor management | Published sub-processors; DPAs; 30-day change notice | CC9 |
| Logging & monitoring | Application and security logs; retention per Privacy Policy §9 | CC7 |
| Incident response | Documented IR process; 72-hour GDPR breach notification to controllers | CC7 |
| Backup & recovery | Supabase PITR (up to 7 days); tested restore procedures | A1 |
| Data retention & deletion | Published schedule; verified DSR workflow via privacy@impactean.com | C1 |
| Privacy | GDPR-aligned Privacy Policy, DPA, SCCs, DPIA for AI coaching | P-series (privacy criteria where applicable) |

Enterprise customers may request our security questionnaire or control narrative at security@impactean.com.

## Vendor compliance (inherited)

| Vendor | Attestation |
|---|---|
| Supabase | SOC 2 Type 2, HIPAA-ready |
| Vercel | SOC 2 Type 2, ISO 27001 |
| OpenAI | SOC 2 Type 2, CSA STAR |
| Stripe | PCI-DSS Level 1, SOC 1 + 2 Type 2, ISO 27001 |
| Resend | SOC 2 Type 2 |

Impactean does not currently hold its own SOC 2 or ISO 27001 attestation. We may pursue formal attestation in future; if we obtain one, we will update this page.

## GDPR & privacy

- EU/EEA data residency for primary data stores (Frankfurt).
- EU Standard Contractual Clauses (Module 2) for transfers to the United States (OpenAI, Vercel, Stripe Inc.).
- Published retention and deletion schedule at [/legal/privacy](/legal/privacy) §9.
- Data Protection Impact Assessment (DPIA) maintained for AI coaching and organisational programme features — summary available to enterprise customers on request.
- Records of processing activities (Art. 30) and data-subject request handling within 30 days.
- In-product: delete individual coaching sessions; download report PDF. Full account closure and data export: **privacy@impactean.com**.
- Sub-processor change notifications with 30 days' notice.
- Signed customer DPA available at [/legal/dpa](/legal/dpa).

## Vulnerability disclosure

We welcome coordinated disclosure of security issues. Email security@impactean.com. We commit to:

- Acknowledge within 48 hours;
- Triage within 5 business days;
- Credit researchers (with consent) when a fix ships.

For encrypted disclosure, email security@impactean.com and we will provide a PGP key on request.

## Contact

security@impactean.com · privacy@impactean.com