Security

How we protect your business data.

Your business plan contains some of the most sensitive information you have. Here is exactly how we handle it.

Last updated · 27 April 2026

Encryption

  • In transit. All traffic to and from FundedPlan is encrypted with TLS 1.2 or higher. Older protocols are disabled.
  • At rest. All project data, account information, and uploaded files are encrypted at rest using AES-256.
  • Backups. Backups are encrypted with the same standards and stored in a separate region.
  • Secrets. API keys and credentials are stored in secret managers, never in code or version control.

Hosting and infrastructure

FundedPlan runs on SOC 2 Type II-compliant infrastructure providers, primarily Vercel and Amazon Web Services. Production environments are isolated from development environments. All infrastructure changes are logged and reviewed.

Network security

  • HTTPS is enforced on every endpoint, including subdomains.
  • HTTP Strict Transport Security (HSTS) is enabled.
  • Firewalls restrict ingress to required ports only.
  • Web application firewall and DDoS mitigation are provided by our hosting layer.

Access control

  • Access to customer data is restricted to staff who need it to deliver the project.
  • All staff accounts use strong passwords and two-factor authentication.
  • Production access is logged and reviewed.
  • Access is revoked immediately when staff leave.
  • We follow the principle of least privilege across all internal systems.

Application security

  • Dependencies are continuously monitored for known vulnerabilities and patched promptly.
  • Code changes are peer-reviewed before merging to production branches.
  • Authentication is handled by Supabase Auth with industry-standard password hashing (bcrypt) and session management.
  • Rate limiting and bot detection are enforced on sensitive endpoints.

Payment security

All payments are processed by Stripe, a PCI DSS Level 1 service provider. We never see, store, or transmit raw card numbers. Card data is collected directly by Stripe's hosted forms.

AI and your data

We use AI tools internally to accelerate research, drafting, and modeling. Your business information is never used to train any AI model. All third-party AI providers we use have been configured for zero data retention on our account.

Data retention and deletion

Project data is retained for 24 months after delivery so you can request re-downloads. After that, project data is permanently deleted. Account and billing records are retained as required by tax law (typically 7 years in the US). You can request earlier deletion of your project data at any time by emailing support@fundedplan.com.

Sub-processors

We use a small set of trusted sub-processors for hosting, payment processing, AI generation, email delivery, and analytics. The full list is published in our Privacy Policy and updated whenever it changes.

Employee training and access

  • All staff complete security and privacy training on onboarding and annually thereafter.
  • Confidentiality and acceptable-use agreements are required for all staff and contractors.
  • Background checks are conducted where permitted by law.

Incident response

We maintain a documented incident response process covering detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting customer data, we will notify affected customers without undue delay, and in any case within the timelines required by applicable law (72 hours for GDPR-relevant breaches).

Business continuity

Customer data is backed up regularly and stored in a separate region. Our infrastructure providers offer multi-region failover. We test our backup-restore procedure periodically.

Reporting a vulnerability

Found a security issue? Please report it to security@fundedplan.com. We respond to legitimate reports within two business days and credit responsible disclosure where requested.

Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it.

Compliance

We honor data subject rights under GDPR, CCPA / CPRA, and similar regulations. See our Privacy Policy for full details on rights and how to exercise them.

Contact

Security-specific questions go to security@fundedplan.com. General privacy and data questions go to support@fundedplan.com.