Convexly Trust Center
One place to evaluate how Convexly handles security and data.
This page is the front door for a security or procurement review. It links to our security posture, subprocessors, platform status, independence policy, and the audit-chain verifier, and it states our compliance posture plainly. Where we do not yet hold a certification, this page says so rather than implying one.
Posture stated 2026-06-27. Questions: security@convexly.app.
Trust surfaces
How data is protected: encryption, row-level security, access controls, application security, and vulnerability disclosure.
The third-party providers used to deliver the service, what data each handles, the region, and a link to each provider DPA.
Substrate freshness, ingest health, and drift-guard activity. Freshness reporting, not an availability commitment.
The structural reasons verdicts are not conflicted: no trade execution, no custody, no token, fixed published rules, and no venue-derived revenue.
Walk the SHA-256 hash-chained evidence log in your browser and confirm each row links to its parent.
A standard DPA template offered for execution under an enterprise engagement, marked as a template pending counsel review.
The support SLA: first-response commitment, severity tiers, channels, and maintenance posture. Not an availability SLA.
Compliance posture
The status column is the honest current state. Controls that are in place are described against the live infrastructure. Items that are on the roadmap or not pursued are labeled as such, with no badge or certificate implied.
| Control | Status | Detail |
|---|---|---|
| Encryption in transit | In place | TLS 1.3 on all connections to the web application and API. |
| Encryption at rest | In place | AES-256 at rest on the managed PostgreSQL database (Supabase on AWS). |
| Access control | In place | PostgreSQL row-level security on app-owned user tables plus Supabase JWT authentication. Server-side plan enforcement on paid endpoints. The service-role key is restricted to cron jobs and webhooks. |
| Data residency | United States | Application data is stored and processed in US regions (Supabase on AWS us-east-1; Vercel and Railway US regions). Edge request handling is global; persistent data is US. |
| Subprocessor list | Published | A current, maintained subprocessor list with per-provider DPA links and a change-notice policy for parties under a signed DPA. |
| Vulnerability disclosure | security@convexly.app | Good-faith reports are acknowledged as quickly as practical. Reporters are asked to avoid accessing other users' data, degrading the service, or disclosing before a reasonable investigation window. |
| Data Processing Addendum | Template, offer to execute | A standard DPA template is offered for execution under an enterprise engagement. It is a template pending finalization with counsel and is not yet countersigned. |
| SOC 2 Type II | Not started (on roadmap) | No SOC 2 report exists today. It is on the roadmap and is not yet engaged with an auditor. This page will be updated when an audit is engaged. |
| ISO 27001 | Not pursued | ISO 27001 certification is not currently pursued. |
| Penetration test | Not yet performed | A third-party penetration test has not yet been performed. It is on the roadmap; no test summary is available today. |
SSO (SAML / OIDC), SCIM provisioning, and organization-level MFA enforcement are on the roadmap and are scoped under an enterprise engagement. No single-sign-on configuration ships today, so none is claimed here.
Data rights and export on termination
- You own your account data. The data you submit, your watchlists, your imports, and your saved work remain yours.
- Data export is available in CSV and JSON formats so your records are portable and not locked in.
- On termination, your account data is deleted on request, and inactive accounts can be removed under the retention practices in the privacy policy. We do not keep your data indefinitely against your wishes.
- Customer data is not used to train any model. AI features only process the specific text you choose to submit at the moment you use them, and the API provider does not train on that text under its terms.
- Public on-chain wallet addresses submitted to the free analyzer are not persisted beyond the analysis round-trip; the analysis queries public on-chain data only.
These statements are consistent with the independence policy and the privacy policy. Where a practice is policy rather than a contractual term, it becomes contractual when written into a signed agreement.
Security questionnaire (pre-filled)
A short, plain answer set to the questions a vendor review asks first. Every answer is true today. It is meant to shorten the back-and-forth, not to replace a full questionnaire your team may send.
Is data encrypted in transit and at rest?+
Yes. TLS 1.3 protects all connections in transit. Data at rest is encrypted with AES-256 on the managed PostgreSQL database (Supabase on AWS).
How is access to customer data controlled?+
Application access is enforced with PostgreSQL row-level security on app-owned user tables and Supabase JWT authentication. Paid features are enforced server-side. The service-role administrative key is restricted to cron jobs and webhooks and is not exposed to the browser.
Where is data stored and processed (residency)?+
Application data is stored and processed in United States regions: Supabase (AWS us-east-1) for the primary data store, with Vercel and Railway in US regions for hosting. Edge request handling is global; persistent storage is US.
Do you hold SOC 2, ISO 27001, or a penetration-test report?+
Not today. SOC 2 Type II is on the roadmap and not yet engaged with an auditor. ISO 27001 is not currently pursued. A third-party penetration test has not yet been performed. We state this plainly rather than imply a certification we do not hold.
What is your incident and vulnerability-disclosure posture?+
Vulnerabilities can be reported to security@convexly.app with reproduction steps, the affected URL or API path, and impact. Good-faith reports are acknowledged as quickly as practical. A formal incident-response runbook and breach-notification commitments are scoped into an enterprise contract.
Who are your subprocessors and how are changes communicated?+
The current subprocessor list is published at /legal/subprocessors with each provider purpose, the data shared, the region, and a link to that provider DPA. Parties under a signed DPA receive advance notice of material changes per that agreement.
Do you offer a Data Processing Addendum?+
Yes. A standard DPA template is offered for execution under an enterprise engagement. It is a template, finalized with counsel before signature, and is not yet countersigned.
What are my data rights, including export and deletion?+
You own your account data. Export is available in CSV and JSON. On termination, account data is deleted on request. Customer data is not used to train any model. The full statement is in the Data rights section above.
Do you support SSO, SCIM, or organization-level MFA enforcement?+
Not today. Authentication is Supabase JWT. SAML/OIDC single sign-on, SCIM provisioning, and organization-level MFA enforcement are on the roadmap and discussed under an enterprise engagement. No single-sign-on configuration is shipped, so we do not claim one.
What availability commitment do you make?+
The status page is freshness reporting, not an availability commitment, so we do not publish an uptime percentage we cannot measure or back with credits. A measured availability SLA with service credits is available on an enterprise contract. The support SLA, with first-response commitments and severity tiers, is at /legal/sla.
Need the diligence package?
The enterprise data room indexes the architecture and security overview, subprocessor list, methodology and evidence, and the independence statement, with availability labels attached. Access to gated artifacts is requested through the enterprise process.