Security-First Architecture

Fundry uses a process-in-place architecture: we don't retain your raw documents. We connect to your systems via read-only OAuth, extract structured data, and delete raw files within 24 hours of review. The extracted structured data is stored encrypted and isolated to your firm. Every control needed for SOC 2 certification is already built and operational.

Built on certified infrastructure

SupabaseDatabase & AuthSOC 2 Type II
VercelApplication HostingSOC 2 Type II
AnthropicLLM (Claude)SOC 2 Type II
OpenAIEmbeddingsSOC 2 Type II
StripePaymentsPCI DSS Level 1
ResendTransactional EmailSOC 2

These are our infrastructure providers' certifications. Fundry inherits these controls by building on certified platforms.

Data Protection

  • Process-in-place — raw documents not retained; deleted within 24h of review
  • Raw files deleted within 24 hours of processing
  • Sensitive PII (SSN/TIN, bank, contact) stripped before embedding (OWASP LLM08:2025)
  • AES-256-GCM encryption at rest; TLS 1.3 in transit
  • Encrypted PII vault with numbered placeholder substitution

AI Governance

  • 4-tier model routing — RESTRICTED data never sent to open-source APIs
  • Agent autonomy levels 0-3 (Level 3 = human-only actions)
  • 5-layer quality stack: RAG grounding, confidence scoring, evaluator review, citation trails, human approval
  • Privacy router classifies and logs every LLM call (full enforcement enabled at Phase 15)
  • Confidence scoring on every output — green (>85%), yellow (70-85%), red (<70%)

How we measure accuracy

DDQ accuracy is graded by a 5-layer quality stack: RAG-grounded retrieval, per-answer confidence scoring, evaluator agent review (Claude Opus), citation verification, and mandatory human approval before any output reaches LPs. Live baselines are captured inagent_eval_runsand posted publicly once the firm-KB target band is met.

Access & Compliance

  • Row-level security on every table with firm-scoped isolation
  • MFA support with Supabase Auth
  • 4-role RBAC: Owner, Admin, Member, Viewer
  • GDPR data minimization + right to erasure; CCPA compliant
  • SEC audit trail for all agent outputs and user actions

SOC 2 Readiness

All SOC 2 controls are implemented and operational. We haven't yet undergone the formal audit — our infrastructure providers carry the certifications today, and we plan to complete our independent SOC 2 Type II audit within 12 months of launch.

Role-based access control (Owner, Admin, Member, Viewer)
Multi-factor authentication support
Audit logging for all agent outputs and user actions
AES-256-GCM encryption at rest for all data
TLS 1.3 encryption in transit for all connections
PII detection and stripping pipeline (OWASP LLM08:2025)
Secrets scanning and rotation procedures
Incident response procedures with defined SLAs
Data retention and deletion policies
Row-level security enforcing multi-tenant isolation

Document Processing Flow

How your data moves through Fundry — and where it gets deleted

Customer System

Google Drive, Gmail, SharePoint

Read-Only OAuth

Fundry never writes to your systems

PII Detection & Stripping

Regex + NER scan, placeholder substitution, vault storage

LLM Processing (Tier 1 Only)

PII-free text sent to Anthropic Claude for extraction

Structured Data Extraction

Q&A pairs, classifications, parsed fields stored encrypted

Raw Document Deletion

Within 24 hours — no raw content retained

Incident Response

Defined response times by severity. Breach notification within 72 hours per GDPR.

SeverityDescriptionResponse Time
SEV 1
Data breach, PII exposure1 hour
SEV 2
Auth bypass, incorrect output4 hours
SEV 3
Feature outage, degraded accuracy24 hours
SEV 4
UI bug, cosmetic issue72 hours

Questions about security?

We're happy to discuss our security architecture, share our DPA, or schedule a call with our engineering team.

This page is provided for informational purposes and does not constitute legal advice. Consult legal counsel for compliance determinations specific to your organization.