Built on Trust

Trust Center

Transparency is the foundation of trust. Here's exactly where we stand on security, privacy, and compliance — what's in place today and what we're building next.

Our Commitment

Honest Security, Built in the Open

Early-Stage, Enterprise-Minded

We're an early-stage company building for enterprise customers. That means we're transparent about where we are today and where we're headed.

Security by Design

Security isn't bolted on after launch. Our architecture decisions — from parameterized queries to type-safe APIs — build security into the foundation.

Continuous Improvement

Our security posture evolves with every sprint. Items marked with timelines on this page are actively planned and resourced.

In Place Today

Current Security Practices

These protections are active in production right now.

Encryption in Transit

All data transmitted between clients and servers is encrypted via TLS. No exceptions.

SQL Injection Prevention

All database queries use parameterized queries via Prisma ORM. No raw SQL touches user input.

CI/CD Security Gates

Every code change passes automated linting, type checking, and test suites via GitHub Actions before deployment.

Secrets Management

All credentials and API keys are managed through environment variables, never committed to source control.

Type-Safe API Validation

TypeScript with Zod schema validation ensures data integrity at API boundaries. Malformed requests are rejected before processing.

Hardened Production Builds

Docker multi-stage builds minimize the attack surface with production-only dependencies and no development tooling.

Soft Deletes

Data is never permanently removed without explicit action. Accidental or malicious deletion is recoverable.

Managed Infrastructure

Hosted on managed PaaS with automatic OS patching, managed networking, and infrastructure-level security.

Version Control & Audit Trail

All code changes are tracked in Git with pull request reviews. Every change has an author and a reason.

Security Roadmap

Actively planned and resourced milestones. We publish updates here as each item ships.

Q2 2026: Authentication & Authorization

SSO/OAuth2 authentication replacing demo auth. Role-Based Access Control (RBAC) with granular permissions. Security headers and API rate limiting.

Q3 2026: Data Isolation & Protection

Multi-tenancy with row-level data isolation ensuring customers never see each other's data. Encryption at rest for sensitive columns. Comprehensive audit logging for all data access.

Q4 2026: SOC 2 Type I

Independent audit of security controls design. Covers Trust Service Criteria: security, availability, and confidentiality. Formal incident response plan and data retention procedures.

2027: SOC 2 Type II & Beyond

SOC 2 Type II demonstrating controls effectiveness over time. Third-party penetration testing. Cyber liability insurance. Continuous compliance monitoring.

Security Roadmap

Data Privacy

How We Handle Your Data

Your supply chain data is sensitive. Here's how we protect it.

Your Data Stays Yours

Customer data is never shared, sold, or used to train models. Your competitive intelligence remains exclusively yours.

Network Data Is Anonymized

REALM's network intelligence is built from anonymized, aggregated signals. No company-specific data is ever exposed to other participants.

Minimal Data Collection

We collect only the data necessary to deliver the service. No tracking pixels, no third-party analytics on your supply chain data.

Data Residency

All customer data is processed and stored within the United States. Infrastructure hosted on US-based cloud providers.

Infrastructure

Platform Architecture

Railway (PaaS)

Application hosting with managed infrastructure, automatic scaling, and built-in monitoring.

PostgreSQL (Managed)

Relational database with automated backups, point-in-time recovery, and connection encryption.

GitHub

Source control, CI/CD pipelines, and code review workflows.

Cloudflare

DNS, CDN, DDoS protection, and TLS certificate management for qwantifyr.com.

FAQs

Security & Trust FAQs

Common questions from security reviews and procurement teams.

Do you have SOC 2 certification?

Not yet. SOC 2 Type I is targeted for Q4 2026, with Type II to follow in 2027. We're happy to walk through our current controls in detail during a security review call.

How is customer data isolated?

Today, the platform operates in single-tenant pilot mode. Multi-tenancy with row-level data isolation is on our Q3 2026 roadmap. During the pilot phase, each customer's data is logically separated.

Can we do a security questionnaire?

Absolutely. We welcome security questionnaires and are happy to provide detailed responses. Contact us to start the process.

What happens to our data if we stop using REALM?

Your data is yours. Upon contract termination, we provide a full data export and confirm deletion within 30 days. Soft deletes ensure nothing is lost accidentally during the engagement.

Do you carry cyber liability insurance?

Cyber liability insurance is on our 2027 roadmap. We can discuss interim risk mitigation measures and our current coverage during a security review.

Who has access to our data?

Access is limited to founding engineers on a need-to-know basis. All access is logged. RBAC with formal access controls is targeted for Q2 2026.

Questions About Security?

We welcome security reviews, questionnaires, and direct conversations about our security posture. Transparency is how we build trust.

Request a Security Review