How the platform protects your data
A candid inventory of what's actually shipped, including the gaps we haven't closed yet. We'd rather be specific than wave around “enterprise-grade” copy.
Last updated: June 2026Authentication, approval, and webhook integrity
Authentication: Clerk (SOC 2 Type II provider)
SHIPPEDGoogle OAuth and email/password login. MFA support, password policy enforcement, brute-force throttling, and session management are all owned by Clerk. We never see a password.
Approval gate
SHIPPEDSelf-signups land in a pending state and cannot reach the platform until a super-admin approves them. A stray Google account cannot auto-provision itself in.
Webhook integrity
SHIPPEDClerk and Inngest webhooks are signature-verified (svix / HMAC) before any database write.
Role model, scoped queries, and cross-agency rejection
Three-tier role model
SHIPPEDsuper_admin (Soundcheck staff), admin (agency operator), user (agency seat-holder). Roles are enforced server-side. Client-side checks are UI sugar only.
Scoped queries by default
SHIPPEDEvery database read for a tenant resource flows through a single helper that filters by agency and assignment. No raw queries bypass it.
Layout-level gates
SHIPPEDDirect URLs to super-admin or admin-only routes are gated at the layout layer.
Cross-agency rejection
SHIPPEDServer actions validate that every resource belongs to the operator's own agency before mutating.
Soft delete
SHIPPEDTenant resources carry a deleted-at flag. Queries always filter on it. Accidental deletes are recoverable.
Schema-layer silo and contractual commitments
Schema-layer silo
SHIPPEDEvery tenant table carries an agency_id foreign key.
Contractual commitments (Trial Tier Terms, section 7.3)
ACTIVE- ◆No operator's confidential information used to develop competing products.
- ◆Aggregated learnings anonymized to a non-identifiable level.
- ◆Internal admin access limited to necessary personnel, bound by written confidentiality.
- ◆Internal admin-access logs maintained and producible on request.
Per-project lockdown for regulated industries
Finance, healthcare, defense. An operator-flippable toggle that locks super-admins out of project content at the server level.
What gets locked
SHIPPEDSuper-admins cannot open project detail, dashboard, reports, personas, share links, bot conversations, or file downloads. Server-side enforcement.
What stays visible
BY DESIGNProject existence, owning agency, product type, status, and aggregate token counts (for billing only).
Toggle control
SHIPPEDOnly the project owner or admin of the owning agency can toggle. Super-admins cannot disable it.
Strategic project inheritance
SHIPPEDGoGlobal and Scale engagements inherit Incognito from their parent research project.
Audit trail
SHIPPEDEvery flip is recorded with actor and timestamp.
Limitation (we are being honest)
Automated workers (research generation, dashboard distillation) still run inside the project. Data never reaches a human at Soundcheck while the flag is on. It only reaches Anthropic's API under their no-training agreement.
Encryption in transit and at rest, key management
TLS in transit
ACTIVEAll traffic over Vercel TLS 1.2+. Database connections use Neon TLS. File uploads via signed HTTPS URLs.
At-rest encryption
ACTIVENeon Postgres AES-256. Vercel Blob encrypts at rest.
Secrets management
ACTIVEAll API keys in Vercel environment variables. Nothing committed to source. .env.local gitignored.
Anthropic API key isolation
ACTIVEServer-side only. Every Claude call runs in Inngest functions or server actions. The key is never reachable from the browser.
Direct-to-blob, server-side parsing, validation
Direct-to-Blob uploads
SHIPPEDVia short-lived signed URLs. The platform never proxies bytes through application servers.
Server-side parsing
SHIPPEDPDFs, DOCX, XLSX, PPTX, and images are parsed server-side. Raw binaries stay in Blob storage.
Mime and size validation
SHIPPEDValidated at both upload time and parse time.
Non-guessable URLs, password gates, instant disable
Non-guessable URLs
SHIPPED12-character random slug, 71 bits of entropy.
Optional password gate
SHIPPEDPer-share bcrypt(12)-hashed password with HMAC-signed cookie session.
Disable on demand
SHIPPEDReturns 404 immediately. Slug stays bound for re-enable.
No platform chrome on shared views
BY DESIGNShared dashboards show no Soundcheck navigation or branding.
Incognito Mode beats sharing
BY DESIGNPublic share still works for end-clients. The lockout is for Soundcheck staff only.
Session binding, signature verification, audit log
Per-conversation session binding
SHIPPEDEach session is bound to one share slug and one Telegram user ID.
Webhook signature verification
SHIPPED403 on unsigned requests.
Operator-only audit log
SHIPPEDEvery message is persisted and visible via the Bot Conversations panel.
Deep-link gating
SHIPPEDBot deep-link only minted with an active monthly subscription or admin access.
Same data boundary
BY DESIGNNo cross-project access.
Model training, synthetic personas, context isolation, anonymization
This is usually the first thing enterprise buyers ask about.
No model training on prompts
ACTIVEAnthropic's API agreement does not use prompt/response content for training.
Synthetic personas
BY DESIGNConstructs grounded in research, not real identifiable persons.
Per-engagement context isolation
SHIPPEDEach Claude call is scoped to one project. No cross-tenant pooling.
Anonymized engagement pool (Stage 1, platform-only)
SHIPPED- ◆Categorical tags only (archetype, friction, concept-pattern, score band).
- ◆No client names, brand names, or verbatim quotes.
- ◆Origin hash: SHA-256 with environment-protected salt (computationally one-way).
- ◆k-anonymity >= 5 enforced at every aggregate query layer.
- ◆Quarterly re-identification audit cron.
- ◆Operator opt-out at agency and per-engagement level.
- ◆Incognito Mode projects excluded automatically.
Stage 2 (cross-operator benchmarks) and Stage 3 (external reports) are NOT live.
Snapshot model, audit logs, frozen pricing, no PCI scope
Snapshot model
SHIPPEDEvery project snapshots its tier and rate at creation. Changes never retroactively re-bill.
Tier change audit log
SHIPPEDActor, timestamp, prior/new tier, and reason recorded on every change.
Frozen Reference Pricelist for Founding Cohort
ACTIVEFuture MSRP hikes never retro-price Founding Cohort operators.
Month-by-month billing
SHIPPEDOnce a billing month is closed, line items are frozen and uneditable.
Incognito Mode and billing
BY DESIGNRollups use metadata-only joins. Billing never opens locked project content.
No payment data on the platform
BY DESIGNOperators are billed off-platform via wire/ACH. No credit cards, no Stripe, no PCI scope.
T&C acceptance, versioning, admissibility, export
Per-user T&C acceptance
SHIPPEDCaptures timestamp, IP, user-agent, and exact version accepted.
Version re-prompt
SHIPPEDUsers are re-prompted on new T&C versions automatically.
Admissibility framework
ACTIVEFlorida Uniform Electronic Transaction Act and federal E-SIGN Act.
Litigation export
SHIPPEDPrintable per-user record with CSV export.
The gaps, listed plainly
This is usually where vendor security pages go quiet. We would rather list it.
How to reach us
Email info@soundcheckinsights.com with the subject line “Security report”.
Security reports are prioritized above everything else. Acknowledged within one business day.
Legal questions: valter@soundcheckinsights.com