Security

Built to survive a compliance review

You hold a fiduciary duty to your clients. This page sets out precisely how their assessment data and your account are protected, and what we deliberately never collect.

The strongest control we have

The data we never collect cannot be breached

Most tools in this space defend a large pile of sensitive client data. We took the other route and built a product that barely needs any. For each of your clients we hold a first name, a last initial, 24 assessment answers, six dimension scores, and an archetype. That is the entire file.

What Client Chemistry never receives

Client email addresses
Financial account numbers, balances, or holdings
Meeting recordings, transcripts, or notes
Social insurance or social security numbers
Documents, statements, or plan files

There is no field anywhere in the product to upload a transcript, a statement, or a client document. Your clients' sensitive data stays in your CRM and your custodian, where it belongs.

Account and data protection

How logins and reports are secured

Passwords are never stored in readable form

Authentication is handled by Supabase Auth. Passwords are hashed with bcrypt before they reach storage. We do not see, log, or store your password in any readable form, and no one at Client Chemistry can retrieve it.

The database itself refuses cross-firm access

Every table has row-level security enabled, scoped to your firm. This is enforced by Postgres, not by application code, so even a bug in our app cannot hand another advisor your clients. On top of that, every server request re-checks that the record belongs to your firm before it returns anything.

Encrypted in transit and at rest

All traffic runs over TLS, and the database is encrypted at rest by our infrastructure providers. Our HTTPS is enforced by HSTS, so a browser will not fall back to an unencrypted connection.

Privileged keys never reach the browser

The service key that can bypass row-level security exists only on the server and is never bundled into any page. Internal report-generation endpoints additionally require a shared secret, so they cannot be triggered from a browser at all.

Sessions are hardened

Sessions use HTTP-only cookies, so page scripts cannot read your session token. The app cannot be embedded in a frame, and we deny camera, microphone, geolocation, and payment permissions outright.

Signup is closed during the beta

Accounts can only be created with an invite code we issue, so the surface is a small, known group of advisors rather than the open internet.

Who touches your data

Three vendors. That is the whole list.

We do not sell your data, we do not share it with other advisors or firms, and we do not use it for advertising.

Supabase

Database and authentication

Stores your account and assessment data. Encrypted at rest. Row-level security is enforced here, by the database itself.

SOC 2 Type 2 · ISO 27001 · HIPAA

Vercel

Application hosting

Serves the application over TLS. Analytics are cookieless and collect no personal information.

SOC 2 Type 2 · ISO 27001 · GDPR · PCI DSS

Anthropic

AI report generation

Receives first names, archetypes, and dimension scores to write the report narrative. Nothing else. Anthropic does not train its models on data submitted through its commercial API.

These are our providers' certifications, held by them. They are not certifications of Client Chemistry itself. See below for exactly what that distinction means.

Compliance

Certification status

Client Chemistry runs on infrastructure that is independently audited: Supabase and Vercel each hold SOC 2 Type 2 and ISO 27001 certifications.

Client Chemistry has not yet completed its own SOC 2 audit. A SOC 2 report covers an organization's internal controls, such as production access management, change management, and incident response. It is specific to the company being audited and is not conferred by a hosting provider. Two-factor authentication is on our near-term roadmap.

If your firm requires a completed due-diligence questionnaire or a specific certification before onboarding a vendor, contact info@clientchemistry.com.