Guarding your data at StartupStarter

    Last updated: October 26, 2025

    We blend strong security with simple, clear controls so your data stays safe and easy to manage—without getting in your way.

    Auditable authentication

    Sign in with Google SSO (Live) or email + one-time code (Live). Every session is logged with timestamp, IP, and device details so admins have a transparent, auditable trail. Sessions use short-lived tokens and are revoked on logout.

    Trusted and verified

    SOC 2 Type II (In Process). We're undergoing a third-party audit to validate our controls over time—logging, change management, access, and incident handling. As soon as the report is issued, we'll share details with customers under NDA.

    Collaborate with confidence

    Role-based permissions (Live) let you control who sees what—at the org, workspace, and page levels. Guest access and expiring links (In Process) will make sharing with outside collaborators precise and time-bound. Admins can already review sign-ins and sensitive actions; page-level history (In Process) expands that visibility further.

    Industry-standard encryption

    All traffic is protected with modern TLS in transit, and your data is encrypted at rest in our cloud databases and object storage (Live). Centralized key management and scheduled rotation (In Process) add another layer of control as we finalize our KMS rollout.

    Data stored on American soil

    We host on AWS in the United States (Live). Additional regions (In Process) will introduce EU/UK data-residency options as we expand.

    Airtight security controls

    We apply least-privilege access, scoped service accounts, and row-level security to isolate tenant data (Live). Secrets are kept server-side only—never in client code (Live). Automated dependency checks and supply-chain safeguards (In Process) are wired into our build pipeline to catch issues early.

    Maintaining a strong security posture

    We pair internal controls with independent oversight. Annual penetration testing (In Process), continuous vulnerability scanning (In Process), and a block-on-critical policy (In Process) keep risk in check. Our incident playbook and on-call rotation are being formalized with response SLAs and customer communications (In Process).

    Data retention & deletion

    Point-in-time backups support recovery from accidental changes or failures (Live). Verified erasure requests with a documented SLA (In Process) ensure customer data can be removed cleanly when required.

    Integrations & financial data

    Banking and payments connect through trusted providers like Plaid and Stripe. You approve scopes, you can revoke access anytime from the provider dashboard, and we never see your bank credentials (Live).

    Anything else on your mind?

    If you have security questions or want to report an issue, email admin@startupstarter.co.

    For privacy details, see our Privacy Policy.