Security & Compliance

Sheetora is built for teams handling sensitive business data. Here's exactly where your data lives and how we protect it.

Data Residency

Every sub-processor we use, where your data lives, and how it is protected.

Data Type	Storage Location	Protection
Files (CSV/Excel)	Supabase Storage — Northeast Asia (Tokyo)	AES-256 at rest, TLS in transit
Database (user data, dashboards)	Supabase PostgreSQL — Northeast Asia (Tokyo)	AES-256 at rest, TLS in transit
Application hosting	Vercel — United States / Global edge CDN	TLS in transit
AI insight / Ask AIOnly schema metadata	Third-party AI APIs (Anthropic / OpenAI / Gemini)	Schema metadata only — column names and types. Raw row data never sent.
Email delivery	Resend — United States	TLS in transit
Error tracking	Sentry — European Union (Germany)	No PII in error logs
Analytics	PostHog — United States	Anonymized usage data only
Rate limiting / queues	Upstash Redis — United States	In-memory, no persistent PII

LLM Data Boundary

What happens to your data at each step of the pipeline.

Only column names and types (schema metadata) are sent to AI. Your actual data — the rows in your spreadsheet — never leaves our servers.

1. File upload — Supabase Storage (Northeast Asia — Tokyo)
Raw CSV/Excel stored encrypted at rest
2. Parsing & profiling — Data-plane server
Column types, statistics, row counts — no LLM involved
3. Dashboard generation — Data-plane server
Rule-based chart selection, no AI required
4. AI insight / Ask a question — Data-plane → LLM API (Anthropic / OpenAI / Gemini)
Only column names and types sent. Raw row data never leaves our servers.

Security Controls

We align our security program with SOC 2 Trust Service Criteria. This is not a certification claim — it documents the controls currently in place.

Encryption in transit (TLS 1.3)

Implemented

Encryption at rest (AES-256-GCM)

Implemented

Access control — RBAC + Row-Level Security

Implemented

Audit logging (all auth, upload, share events)

Implemented

Rate limiting on all API endpoints

Implemented

CSRF protection

Implemented

HMAC-signed webhooks

Implemented

MFA support

Implemented

Password hashing (bcrypt)

Implemented

Workspace isolation (no cross-workspace data leakage)

Implemented

Data breach notification procedure (72h)

Documented

Sub-processor agreements (DPA)

Documented

Annual penetration testing

Planned

Formal SOC 2 Type II audit

Planned

Have questions about our security program? Contact us or review our Data Processing Agreement.

Data Residency

Every sub-processor we use, where your data lives, and how it is protected.

Data Type	Storage Location	Protection
Files (CSV/Excel)	Supabase Storage — Northeast Asia (Tokyo)	AES-256 at rest, TLS in transit
Database (user data, dashboards)	Supabase PostgreSQL — Northeast Asia (Tokyo)	AES-256 at rest, TLS in transit
Application hosting	Vercel — United States / Global edge CDN	TLS in transit
AI insight / Ask AIOnly schema metadata	Third-party AI APIs (Anthropic / OpenAI / Gemini)	Schema metadata only — column names and types. Raw row data never sent.
Email delivery	Resend — United States	TLS in transit
Error tracking	Sentry — European Union (Germany)	No PII in error logs
Analytics	PostHog — United States	Anonymized usage data only
Rate limiting / queues	Upstash Redis — United States	In-memory, no persistent PII

LLM Data Boundary

What happens to your data at each step of the pipeline.

Only column names and types (schema metadata) are sent to AI. Your actual data — the rows in your spreadsheet — never leaves our servers.

1. File upload — Supabase Storage (Northeast Asia — Tokyo)

Raw CSV/Excel stored encrypted at rest

2. Parsing & profiling — Data-plane server

Column types, statistics, row counts — no LLM involved

3. Dashboard generation — Data-plane server

Rule-based chart selection, no AI required

4. AI insight / Ask a question — Data-plane → LLM API (Anthropic / OpenAI / Gemini)

Only column names and types sent. Raw row data never leaves our servers.

Security Controls

We align our security program with SOC 2 Trust Service Criteria. This is not a certification claim — it documents the controls currently in place.

Encryption in transit (TLS 1.3)

Implemented

Encryption at rest (AES-256-GCM)

Implemented

Access control — RBAC + Row-Level Security

Implemented

Audit logging (all auth, upload, share events)

Implemented

Rate limiting on all API endpoints

Implemented

CSRF protection

Implemented

HMAC-signed webhooks

Implemented

MFA support

Implemented

Password hashing (bcrypt)

Implemented

Workspace isolation (no cross-workspace data leakage)

Implemented

Data breach notification procedure (72h)

Documented

Sub-processor agreements (DPA)

Documented

Annual penetration testing

Planned

Formal SOC 2 Type II audit

Planned

Have questions about our security program? Contact us or review our Data Processing Agreement.