SECURITY & INFRASTRUCTURE
Security & Compliance Overview
This document is intended for vendor risk, procurement and IT security teams reviewing LoanStage for institutional deployment. It covers infrastructure, data handling, access controls and compliance posture.
1. Infrastructure & Hosting
| Cloud provider | Supabase (PostgreSQL) + Vercel (compute) |
| Data residency | EU region (Frankfurt, Germany) |
| Compute region | Vercel EU West (Dublin, Ireland) |
| CDN | Vercel Edge Network — static assets only, no PII in CDN |
| Uptime SLA | 99.9% target. Status available on request. |
| Disaster recovery | Supabase automated daily backups with point-in-time recovery (PITR) |
2. Data Encryption
| Encryption at rest | AES-256 — all portfolio and loan data |
| Encryption in transit | TLS 1.3 — all API and web traffic |
| Database encryption | Supabase transparent data encryption (TDE) |
| Key management | Managed by Supabase. Customer-managed keys available on request. |
| Backup encryption | All backups encrypted with AES-256 |
3. Access Control
| Authentication | Clerk — SOC 2 Type II certified. Supports email, Google SSO. |
| Session management | JWT tokens with configurable expiry. Automatic invalidation on logout. |
| Tenant isolation | Row-level security (RLS) on all database tables. Users can only access their own data. |
| API authentication | API keys with per-key rate limiting and usage tracking. |
| Admin access | LoanStage engineers have no access to customer portfolio data. Access requires explicit customer authorisation. |
4. Data Handling & Retention
| Data ownership | Customer retains full ownership of all uploaded data. |
| Data sharing | Portfolio data is never shared with or visible to other customers or third parties. |
| AI processing | When AI-assisted classification is used, loan data is sent to Anthropic API (Claude). Anthropic does not store or train on this data per their zero-data-retention policy. |
| Retention policy | Data retained while account is active. Deleted within 30 days of account cancellation. |
| Data export | Full data export available on request at any time. |
| Right to erasure | Customer data deleted within 30 days of written request. Confirmation provided. |
5. Compliance
| GDPR | Fully compliant. Data processing agreement (DPA) available on request. |
| Data processor | LoanStage acts as data processor. Customer is data controller. |
| Sub-processors | Supabase (database), Vercel (hosting), Clerk (authentication), Anthropic (AI — zero retention), Stripe (payments). |
| Governing law | Republic of Lithuania. EU jurisdiction. |
| SOC 2 | LoanStage is in preparation for SOC 2 Type II audit. Clerk (authentication) is SOC 2 Type II certified. |
6. Audit Logging
| Classification audit trail | Every ECL classification decision logged: input data, SICR indicators, stage result, ECL, method, timestamp. |
| Immutability | Audit records are append-only. Append-only — tamper-evident and traceable. |
| Export | Full audit log exportable as CSV for regulatory submissions. |
| Retention | Audit logs retained for the life of the account. |
7. Vulnerability & Incident Management
| Dependency scanning | Automated via GitHub Dependabot. Critical vulnerabilities patched within 72 hours. |
| Incident response | Critical incidents communicated to affected customers within 24 hours. |
| Penetration testing | Annual third-party penetration testing. Reports available under NDA. |
| Security contact | hello@loanstage.app — subject: Security |
8. Vendor Risk Contact
| Security enquiries | hello@loanstage.app |
| DPA requests | hello@loanstage.app — subject: DPA Request |
| Penetration test report | Available under NDA on request |
| Vendor questionnaire | Standard security questionnaires completed on request |
Vendor risk review
For security questionnaires, DPA requests, penetration test reports or infrastructure architecture reviews, contact us directly.
Contact Security Team →