Built on infrastructure trusted by enterprise.

Ledgentry is a small, focused product. We don't have a compliance team, but we deliberately built on infrastructure that does. Every data touchpoint — your account, your financial records, payments, emails, AI requests — runs through vendors that hold SOC 2 Type II certifications and follow industry-best security practices.

We're not yet SOC 2 audited as a company (planned when enterprise customers require it), but every layer underneath us is. Below is the full breakdown.

• Database: Supabase (managed Postgres, AWS us-east-1). SOC 2 Type II. Encrypted at rest. Daily automated backups. Row-Level Security on every user-scoped table — your data is segregated from other users at the database level, not just the application level.
• Authentication: Supabase Auth with magic links and Google OAuth. No passwords stored — there's nothing to leak if our database is breached. Sessions are cookie-based with short expiry.
• Payments: Stripe (PCI DSS Level 1 + SOC 2 Type II). We never see, store, or process card numbers. All payment flows go through Stripe's vaulted checkout pages. Funds from invoice payments go directly to your connected Stripe account via Stripe Connect — Ledgentry never holds your money.
• Email delivery: Brevo (SOC 2 Type II + ISO 27001). Sent from a verified domain (hello@ledgentry.com) with SPF, DKIM, and DMARC configured.
• AI inference: Anthropic's Claude API (SOC 2 Type II + ISO 27001). Their commercial terms prohibit training on API data. We send only what's needed for a given draft or query.
• Hosting: Vercel (SOC 2 Type II), running on AWS. HTTPS-only with auto-renewing TLS certificates.
• DNS + edge: Cloudflare (SOC 2 Type II + ISO 27001 + PCI DSS).

• In transit: TLS 1.2+ everywhere. HTTPS-only with HSTS enforced.
• At rest: AES-256 via Supabase's managed Postgres encryption. Stripe vaults card data with their own infrastructure (we never see it).
• Secrets: Stored in Vercel's encrypted environment variable system. Never committed to source code.

• Application-level: Row-Level Security policies on every user-scoped table. Each request is additionally filtered by user ID at the API layer (defense-in-depth).
• Internal: Production database access is limited to the founder. No third-party support contractors. Service-role credentials are never used in client-facing code.
• Authentication: Magic-link or Google OAuth only. No passwords stored. Sessions expire and refresh cleanly.

• We don't sell your data. Period.
• We don't use third-party analytics, advertising trackers, or fingerprinting on the app.
• We don't train AI models on your data. Your AI requests go to Anthropic under their commercial terms (no training).
• We don't hold your money. Stripe Connect routes invoice payments directly to your bank account.
• We don't run unaudited code. Every dependency is from a reputable maintainer; lockfile pinning prevents surprise updates.
• We don't claim absolute security — no system is 100% impenetrable. We implement layered controls (encryption, access control, vendor compliance, monitoring) to reduce risk to a level appropriate for the data we handle.

If we discover a confirmed breach affecting your personal or financial information (as defined under applicable law), we'll notify you promptly and without unreasonable delay via the email on your account. We'll explain what happened, what data was affected, and what we're doing about it.

If you discover a vulnerability, please report it to security@ledgentry.com. We'll aim to respond within one business day. We don't currently offer monetary rewards for vulnerability disclosures, but we'll publicly acknowledge responsible reporting (with your permission).

Safe harbor for security researchers. We welcome good-faith security research and will not pursue legal action — including under the Computer Fraud and Abuse Act (CFAA) — against researchers who follow standard responsible disclosure guidelines (notify us first, give reasonable time to fix, don't access more data than necessary to demonstrate the issue, don't exfiltrate user data).

Ledgentry-the-company is not yet SOC 2 audited, and we make no representation or warranty of SOC 2 compliance at the Ledgentry company level. We'll pursue SOC 2 Type I when our first enterprise customer requires it. In the meantime, our infrastructure is built on SOC 2 Type II certified vendors at every layer of the data path.

We honor data subject rights requests (access, export, deletion, correction) consistent with CCPA requirements and GDPR principles where applicable. We aim to respond to verified requests within 30 days. Email support@ledgentry.com with any request.

For security questionnaires, vendor reviews, or specific technical questions — email support@ledgentry.com with "Security questionnaire" in the subject line. We'll aim to respond within two business days.

Responses to security questionnaires reflect our current practices and do not create additional contractual obligations beyond what is set forth in our Terms of Service and Privacy Policy.