Does Verdikt train on or retain my data?

Anthropic and OpenAI at launch, with Google Gemini and Cohere added as the pipeline scales. Zero-data-retention amendments are executed before customer briefs flow to a provider. Briefs are not logged, not trained on, not retained past the request lifecycle.

Is traffic encrypted in transit?

TLS 1.3 via Vercel on every route. HSTS with includeSubDomains and a 2-year max-age once the canonical domain is preload-eligible.

Is stored data encrypted at rest?

AES-256 across Supabase Postgres, file storage, and Stripe-held payment metadata.

Who sees my data inside your stack?

Every processor that touches your data is named on this page. Updates ship 30 days before they take effect.

Are DPAs in place with sub-processors?

DPAs are executed before a sub-processor starts receiving customer data. The sub-processor table above shows status per vendor. Planned vendors are listed transparently and move to ACTIVE only after the DPA is countersigned.

Can I sign a customer DPA?

Email security@tryverdikt.app. Signed GDPR Article 28 template, ready to countersign.

Who has internal access to customer data?

Named engineers only. SSO with hardware-key 2FA. Every access logged.

Are you GDPR and CCPA compliant?

Export and deletion on request, resolved in 30 days. We do not sell personal data.

How do I report a vulnerability?

Email security@tryverdikt.app or use /.well-known/security.txt. Acknowledged within one business day.

How fast will you notify me of an incident?

If customer data is materially affected, we notify within 72 hours of confirming the incident.

SECURITY & TRUST

Your idea stays yours.

What you submit is read, analyzed, and never recycled. Here is exactly what we do with your data, where it goes, and who handles it.

We are an early-stage company and do not yet hold a third-party security certification such as SOC 2 or ISO 27001. The practices below are self-attested. If you need a signed DPA, sub-processor list, or a security questionnaire response, email security@tryverdikt.app.

ZERO RETENTIONALL LLM PROVIDERS

ENCRYPTIONAES-256 AT REST · TLS 1.3 IN TRANSIT

SUB-PROCESSORSFULLY DISCLOSED · DPAs IN PLACE

DISCLOSURE72-HOUR INCIDENT NOTIFICATION

DATA HANDLING

What we store, how long, who sees it.

Brief content (your pitch text)

Where: Encrypted at rest
Retention: 30 days after report delivery
Who sees it: Owner only

Verdict reports

Where: Encrypted at rest
Retention: Until deletion requested
Who sees it: Owner + invited collaborators

Audit log (who viewed what)

Where: Encrypted at rest
Retention: 12 months
Who sees it: Owner only

LLM prompt and response payloads

Where: Not logged. Zero retention.
Retention: 0 seconds after request lifecycle
Who sees it: n/a

Payment metadata

Where: Stripe-tokenized
Retention: 7 years (tax)
Who sees it: Verdikt finance

What	Where	Retention	Who sees it
Brief content (your pitch text)	Encrypted at rest	30 days after report delivery	Owner only
Verdict reports	Encrypted at rest	Until deletion requested	Owner + invited collaborators
Audit log (who viewed what)	Encrypted at rest	12 months	Owner only
LLM prompt and response payloads	Not logged. Zero retention.	0 seconds after request lifecycle	n/a
Payment metadata	Stripe-tokenized	7 years (tax)	Verdikt finance

SUB-PROCESSORS

Everyone with access to your data.

We list every third-party processor in our stack, including ones that haven't started receiving data yet. The status column tells you exactly which are live today. Updates go out 30 days before any new processor handles your data.

Vercel

ACTIVE

Purpose: Hosting, edge, serverless functions
Region: Global
Data protection: Vercel DPA in place

Supabase

ACTIVE on intake launch

Purpose: Auth, Postgres, file storage
Region: US-East
Data protection: Supabase DPA in place

Anthropic

ACTIVE on intake launch

Purpose: Claude API · primary research model
Region: US
Data protection: Zero data retention amendment on file at launch

OpenAI

ACTIVE on intake launch

Purpose: GPT-5 API · synthesis fallback
Region: US
Data protection: Zero data retention amendment on file at launch

Google (Gemini)

PLANNED · activates as pipeline scales

Purpose: Gemini API · long-context ingestion
Region: US
Data protection: Zero data retention amendment on file before activation

Cohere

PLANNED · activates as pipeline scales

Purpose: Embeddings and rerank
Region: US
Data protection: Zero data retention amendment on file before activation

Perplexity

PLANNED · ACTIVE on intake launch

Purpose: Sonar Pro · live source corroboration
Region: US
Data protection: Zero data retention amendment on file before activation

Inngest

ACTIVE on pipeline launch

Purpose: Pipeline job orchestration
Region: US
Data protection: Inngest DPA in place

Stripe

ACTIVE on paid checkout launch

Purpose: Payments processing
Region: Global
Data protection: PCI-DSS Level 1

Resend

ACTIVE on contact form go-live

Purpose: Transactional email
Region: US-East
Data protection: Resend DPA in place

PostHog

PLANNED · gated behind cookie consent

Purpose: Self-hosted product analytics
Region: EU-Central
Data protection: EU-only data plane

VENDOR	PURPOSE	REGION	DATA PROTECTION	STATUS
Vercel	Hosting, edge, serverless functions	Global	Vercel DPA in place	ACTIVE
Supabase	Auth, Postgres, file storage	US-East	Supabase DPA in place	ACTIVE on intake launch
Anthropic	Claude API · primary research model	US	Zero data retention amendment on file at launch	ACTIVE on intake launch
OpenAI	GPT-5 API · synthesis fallback	US	Zero data retention amendment on file at launch	ACTIVE on intake launch
Google (Gemini)	Gemini API · long-context ingestion	US	Zero data retention amendment on file before activation	PLANNED · activates as pipeline scales
Cohere	Embeddings and rerank	US	Zero data retention amendment on file before activation	PLANNED · activates as pipeline scales
Perplexity	Sonar Pro · live source corroboration	US	Zero data retention amendment on file before activation	PLANNED · ACTIVE on intake launch
Inngest	Pipeline job orchestration	US	Inngest DPA in place	ACTIVE on pipeline launch
Stripe	Payments processing	Global	PCI-DSS Level 1	ACTIVE on paid checkout launch
Resend	Transactional email	US-East	Resend DPA in place	ACTIVE on contact form go-live
PostHog	Self-hosted product analytics	EU-Central	EU-only data plane	PLANNED · gated behind cookie consent

PRACTICES

What we commit to today.

Each item below is either operating today or wired in code and waiting on the relevant launch. Where a practice activates only when its sub-processor goes live, it inherits that vendor's status from the table above. We update this page when any item changes.

Zero data retention on every LLM provider.Anthropic and OpenAI at launch, with Google Gemini and Cohere added as the pipeline scales. Zero-data-retention amendments are executed before customer briefs flow to a provider. Briefs are not logged, not trained on, not retained past the request lifecycle.
Encryption in transit.TLS 1.3 via Vercel on every route. HSTS with includeSubDomains and a 2-year max-age once the canonical domain is preload-eligible.
Encryption at rest.AES-256 across Supabase Postgres, file storage, and Stripe-held payment metadata.
Sub-processor disclosure.Every processor that touches your data is named on this page. Updates ship 30 days before they take effect.
Signed DPAs with every active sub-processor.DPAs are executed before a sub-processor starts receiving customer data. The sub-processor table above shows status per vendor. Planned vendors are listed transparently and move to ACTIVE only after the DPA is countersigned.
Customer DPA on request.Email security@tryverdikt.app. Signed GDPR Article 28 template, ready to countersign.
Least-privilege access.Named engineers only. SSO with hardware-key 2FA. Every access logged.
GDPR and CCPA aligned.Export and deletion on request, resolved in 30 days. We do not sell personal data.
Vulnerability disclosure.Email security@tryverdikt.app or use /.well-known/security.txt. Acknowledged within one business day.
72-hour incident notification.If customer data is materially affected, we notify within 72 hours of confirming the incident.

REPORTING

Found something? Tell us.

Security researchers and customers can report a concern at any time. We acknowledge within one business day and ship a remediation timeline within 72 hours.

security@tryverdikt.app