Security
Built to survive a compliance review
You hold a fiduciary duty to your clients. This page sets out precisely how their assessment data and your account are protected, and what we deliberately never collect.
The strongest control we have
The data we never collect cannot be breached
Most tools in this space defend a large pile of sensitive client data. We took the other route and built a product that barely needs any. For each of your clients we hold a first name, a last initial, 24 assessment answers, six dimension scores, and an archetype. That is the entire file.
What Client Chemistry never receives
There is no field anywhere in the product to upload a transcript, a statement, or a client document. Your clients' sensitive data stays in your CRM and your custodian, where it belongs.
Account and data protection
How logins and reports are secured
Passwords are never stored in readable form
Authentication is handled by Supabase Auth. Passwords are hashed with bcrypt before they reach storage. We do not see, log, or store your password in any readable form, and no one at Client Chemistry can retrieve it.
The database itself refuses cross-firm access
Every table has row-level security enabled, scoped to your firm. This is enforced by Postgres, not by application code, so even a bug in our app cannot hand another advisor your clients. On top of that, every server request re-checks that the record belongs to your firm before it returns anything.
Encrypted in transit and at rest
All traffic runs over TLS, and the database is encrypted at rest by our infrastructure providers. Our HTTPS is enforced by HSTS, so a browser will not fall back to an unencrypted connection.
Privileged keys never reach the browser
The service key that can bypass row-level security exists only on the server and is never bundled into any page. Internal report-generation endpoints additionally require a shared secret, so they cannot be triggered from a browser at all.
Sessions are hardened
Sessions use HTTP-only cookies, so page scripts cannot read your session token. The app cannot be embedded in a frame, and we deny camera, microphone, geolocation, and payment permissions outright.
Signup is closed during the beta
Accounts can only be created with an invite code we issue, so the surface is a small, known group of advisors rather than the open internet.
Who touches your data
Three vendors. That is the whole list.
We do not sell your data, we do not share it with other advisors or firms, and we do not use it for advertising.
Supabase
Database and authentication
Stores your account and assessment data. Encrypted at rest. Row-level security is enforced here, by the database itself.
SOC 2 Type 2 · ISO 27001 · HIPAA
Vercel
Application hosting
Serves the application over TLS. Analytics are cookieless and collect no personal information.
SOC 2 Type 2 · ISO 27001 · GDPR · PCI DSS
Anthropic
AI report generation
Receives first names, archetypes, and dimension scores to write the report narrative. Nothing else. Anthropic does not train its models on data submitted through its commercial API.
These are our providers' certifications, held by them. They are not certifications of Client Chemistry itself. See below for exactly what that distinction means.
Compliance
Certification status
Client Chemistry runs on infrastructure that is independently audited: Supabase and Vercel each hold SOC 2 Type 2 and ISO 27001 certifications.
Client Chemistry has not yet completed its own SOC 2 audit. A SOC 2 report covers an organization's internal controls, such as production access management, change management, and incident response. It is specific to the company being audited and is not conferred by a hosting provider. Two-factor authentication is on our near-term roadmap.
If your firm requires a completed due-diligence questionnaire or a specific certification before onboarding a vendor, contact info@clientchemistry.com.