Built for owners who can't afford to leak.
Your financials, customer concentration, and exit timing are some of the most sensitive data you'll ever hand over. Here's how we protect them.
Encryption everywhere
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Backups inherit the same controls.
Row-level access control
Postgres RLS policies enforce that an account can only ever read or modify its own records. Server-side checks back up every client query.
Sub-processors
Supabase (database / auth), Cloudflare (edge runtime), and Resend (email). All SOC 2 Type II.
No third-party trackers
We do not run Facebook Pixel, Google Analytics, or other ad-network trackers. Product analytics is first-party only.
Audit logging
Authentication events, report generations, and admin actions are logged with retention. Customers can request a log export.
Responsible disclosure
Found a vulnerability? Email security@exitready.ai. We respond within 24 hours and credit researchers in our hall of fame.
Compliance roadmap
ExitReady AI is in active SOC 2 Type II preparation, with target attestation in late 2026. Until then, we follow SOC 2 Common Criteria controls operationally and can share our security controls overview under NDA. Email security@exitready.ai.
Data deletion
Delete your account at any time from the dashboard and your assessments, valuations, and PII are permanently purged within 30 days. Aggregated, fully anonymized statistics may be retained for model improvement.