Security

The platform is hosted on Vercel (Azure-backed global infrastructure) with serverless compute and a global CDN. Database storage is provided by Supabase (AWS us-east-1). All infrastructure is managed by vendors with established security programmes — view Sub-processors below.

• Hosted in the United States on SOC 2-certified cloud infrastructure
• Serverless architecture — no persistent servers to patch or compromise
• Global CDN with automatic DDoS mitigation via Vercel

• In transit: All connections are encrypted via TLS 1.2+. HTTP Strict Transport Security (HSTS) is enforced with a two-year max-age and preload, preventing downgrade attacks.
• At rest: All data stored in Supabase is encrypted at rest using AES-256.
• Uploaded documents: Documents submitted for evaluation are transmitted over encrypted connections and are not stored in plaintext.

Authentication is handled by Clerk (SOC 2 Type II certified). Inclusive Digital does not store passwords.

• Passwords hashed and managed by Clerk — never stored by Inclusive Digital
• Multi-factor authentication (MFA) available on all accounts
• Session tokens are short-lived and rotated on re-authentication
• Row-Level Security (RLS) enforced at the database layer — queries are scoped to the authenticated user; no customer can access another customer's data
• Admin access is role-gated and audited separately from standard user access

• Content Security Policy (CSP): Restricts which scripts, styles, and resources can load — mitigates XSS attacks
• HTTP Strict Transport Security (HSTS): Two-year max-age with preload
• Cross-Origin policies: Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy enforced
• Clickjacking protection: X-Frame-Options: SAMEORIGIN
• MIME sniffing protection: X-Content-Type-Options: nosniff
• Rate limiting: All API endpoints are rate-limited at the IP level (15 requests / 10 minutes) and user level (50 requests / hour) to prevent abuse and credential stuffing
• Webhook verification: Cryptographic signature verification on all inbound webhooks (Clerk via Svix; Stripe)

• Uploaded documents are processed to generate evaluations and are not shared with other users or organizations
• Documents are not used to train, fine-tune, or improve AI models without prior express written consent
• PII is automatically scrubbed from document content before transmission to AI sub-processors
• Data is retained for the duration of an active account, plus 90 days for backup recovery after deletion
• Analytics (Google Analytics 4) are only activated after explicit cookie consent — no tracking without opt-in

Document analysis is powered by Anthropic's Claude API. Personally identifiable information is scrubbed from documents before transmission. Anthropic's API terms prohibit use of API inputs and outputs to train models without consent. Inclusive Digital does not send raw customer data to Anthropic beyond the document content necessary for evaluation.

If you discover a security vulnerability in the Inclusive Digital platform, please report it responsibly by emailing hello@inclusivedigital.co with a description of the issue and steps to reproduce. We aim to acknowledge reports within 2 business days and will work to resolve confirmed vulnerabilities promptly. We ask that you do not publicly disclose the issue until we have had the opportunity to address it.

Organizations that require a Data Processing Agreement (DPA) — for example, those subject to GDPR, FERPA, or institutional procurement requirements — may request one by emailing hello@inclusivedigital.co.

Inclusive Digital uses the following third-party sub-processors to deliver the platform. Each has been selected for its security posture and is governed by a Data Processing Agreement or equivalent contractual terms.