Skip to content
SECURITY & TRUST

Your idea stays yours.

We do not sell your data or use it to train public models. Here is exactly what we do with your data, where it goes, and who handles it.

We are an early-stage company. We do not yet hold a third-party security certification such as SOC 2 or ISO 27001, and we do not yet have custom DPAs or signed provider amendments in place. The practices below are self-attested and rely on each vendor's standard terms. If you need a security questionnaire response or want to discuss a custom arrangement, email security@tryverdikt.app.

VENDOR API TERMSPAYLOADS NOT USED TO TRAIN VENDOR MODELS
ENCRYPTIONAES-256 AT REST · TLS 1.3 IN TRANSIT
SUB-PROCESSORSPRIMARY PROCESSORS PUBLISHED
DISCLOSURE72-HOUR INCIDENT NOTIFICATION
DATA HANDLING

What we store, how long, who sees it.

Brief content (your pitch text)

Where
Encrypted at rest
Retention
While your account is active; deleted on request
Who sees it
Owner only

Verdict reports

Where
Encrypted at rest
Retention
Until deletion requested
Who sees it
Anyone with a share link you create

LLM prompt and response payloads

Where
Routed via the Vercel AI Gateway; may be captured in our observability tool for debugging
Retention
Per vendor API terms; payloads not used to train vendor models
Who sees it
Verdikt engineers

Payment metadata

Where
Processor-tokenized
Retention
7 years (tax)
Who sees it
Verdikt finance
SUB-PROCESSORS

The primary processors with access to your data.

We list the primary third-party processors in our stack, including ones that haven't started receiving data yet. The status column tells you exactly which are live today. Updates go out 30 days before any new processor handles your data.

Vercel

ACTIVE
Purpose
Hosting, edge, serverless functions, AI Gateway, and pipeline job orchestration (Workflow SDK)
Region
Global
Data protection
Standard Vercel terms

Supabase

ACTIVE on intake launch
Purpose
Auth, Postgres, file storage
Region
US-East
Data protection
Standard Supabase terms

OpenAI

ACTIVE on intake launch
Purpose
GPT-5.4 family · report research and synthesis
Region
US
Data protection
Standard API terms (via the Vercel AI Gateway); payloads not used to train vendor models

Anthropic

ACTIVE on intake launch
Purpose
Claude API · intake and live web search
Region
US
Data protection
Standard API terms (via the Vercel AI Gateway); payloads not used to train vendor models

Exa

ACTIVE on intake launch
Purpose
Web search and live source corroboration
Region
US
Data protection
Standard API terms

Tavily

ACTIVE on intake launch
Purpose
Web search and live source corroboration
Region
US
Data protection
Standard API terms

Firecrawl

ACTIVE on intake launch
Purpose
Web page retrieval and scraping
Region
US
Data protection
Standard API terms

Paddle

PLANNED · activates on paid checkout launch
Purpose
Merchant of record · checkout, tax, receipts, refunds, and chargebacks
Region
Global
Data protection
Processor PCI and standard terms

Resend

ACTIVE on contact form go-live
Purpose
Transactional email
Region
US-East
Data protection
Standard Resend terms
Purpose
Aggregate web analytics (page views, traffic sources, engagement)
Region
Global
Data protection
IP anonymization enabled

PostHog

PLANNED · gated behind cookie consent
Purpose
Self-hosted product analytics
Region
EU-Central
Data protection
EU-only data plane

Braintrust

ACTIVE on intake launch
Purpose
LLM observability and eval platform (server-side traces)
Region
US
Data protection
Standard Braintrust terms; payload capture is enabled by default for debugging
PRACTICES

What we commit to today.

Each item below is either operating today or waiting on the relevant launch. Where a practice activates only when its sub-processor goes live, it inherits that vendor's status from the table above. We update this page when any item changes.

  • Standard vendor API terms.Reports run on OpenAI's GPT-5.4 family, with Anthropic used for live web search. We rely on our model vendors' standard API terms (accessed via the Vercel AI Gateway), under which API payloads are not used to train their models. We retain submitted briefs while your account is active and delete them on request (privacy@tryverdikt.app). We do not have custom enterprise contracts in place today; if your organization requires a signed amendment, email security@tryverdikt.app and we will work with you.
  • Encryption in transit.TLS 1.3 via Vercel on every route. HSTS with includeSubDomains and a 2-year max-age once the canonical domain is preload-eligible.
  • Encryption at rest.AES-256 across Supabase Postgres, file storage, and payment metadata held by Paddle, our merchant of record.
  • Sub-processor disclosure.Our primary processors are named on this page. Updates ship 30 days before they take effect.
  • Standard vendor terms apply.We rely on each vendor's standard data-processing terms (as accepted at sign-up). We do not currently maintain custom DPAs with sub-processors. If you need to see a specific vendor's terms, email security@tryverdikt.app and we will point you to the relevant pages.
  • Customer DPA not yet available.We do not yet have a customer DPA template ready to sign. If your organization requires one before using Verdikt, email security@tryverdikt.app and we will work with you on a path forward. Until then, our public privacy policy and the data-handling table on this page describe our practices.
  • Least-privilege access.Production access is limited to our two engineers and protected by SSO with 2FA.
  • GDPR and CCPA aligned.Export and deletion are available on request and handled manually today. We do not sell personal data.
  • Vulnerability disclosure.Email security@tryverdikt.app or use /.well-known/security.txt. Acknowledged within one business day.
  • 72-hour incident notification.If customer data is materially affected, we notify within 72 hours of confirming the incident.
REPORTING

Found something? Tell us.

Security researchers and customers can report a concern at any time. We acknowledge within one business day and ship a remediation timeline within 72 hours.

security@tryverdikt.app