SECURITY
How we protect your data
Stoneset is a compliance tool — so we hold ourselves to the same standard we help our customers achieve. Here is exactly how we protect your data.
Deterministic, not generative
Stoneset's classification engine uses deterministic logic — no AI, no LLMs, no probabilistic outputs. Every classification result is provably repeatable and fully auditable. Your data is never processed by machine learning models, never sent to OpenAI, Anthropic, or any third-party AI provider, and never used for model training. The compliance decisions your organisation relies on are based on transparent rule-based logic, not black-box predictions.
Security practices
EU Data Residency
All data is stored in Supabase's Frankfurt (eu-central-1) region. Your compliance data never leaves the European Union. No transatlantic transfers.
Encryption
Data is encrypted at rest (AES-256) and in transit (TLS 1.3). All connections use HTTPS with HSTS preloading enabled.
Row-Level Security
Every database table uses PostgreSQL Row-Level Security policies. Your organisation's data is isolated at the database level — not just the application level.
No AI Training on Your Data
Stoneset's classification engine is deterministic — pure logic, no machine learning. Your data is never used to train AI models, never sent to third-party AI providers, and never used for any purpose beyond serving your account.
Input Validation
Every API endpoint validates input with Zod schemas, enforces body size limits, and applies rate limiting. SQL injection, XSS, and other OWASP Top 10 attacks are mitigated by design.
Infrastructure Security
Hosted on Vercel's SOC 2 Type II certified infrastructure. Content Security Policy headers, X-Frame-Options, referrer policy, and strict transport security are enforced on every response.
Access Controls
Role-based access control (admin, editor, viewer) on every organisation. Authentication via Supabase Auth with secure session management and automatic token refresh.
GDPR-Compliant Deletion
Full account deletion cascades across all tables, cancels active Stripe subscriptions, removes the auth user, and clears local storage. Your right to erasure, fully implemented.
Subprocessors
These are the third-party services that process data on Stoneset's behalf. All have appropriate data processing agreements in place.
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | Frankfurt, Germany (EU) |
| Vercel | Application hosting and CDN | Global edge, EU origin |
| Stripe | Payment processing | EU (Irish entity) |
| Resend | Transactional email delivery | United States (DPA in place) |
| Upstash | Rate limiting (Redis) | EU region |
Responsible disclosure
If you discover a security vulnerability, please report it responsibly. We do not operate a formal bug bounty programme, but we appreciate and acknowledge reports from the security community.
Contact: contact@stoneset.ai
Questions about our security?
Contact us at contact@stoneset.ai and we will be happy to provide additional details or discuss a DPA.