noctara . security questionnaire
back

security questionnaire.

our standing answers to the questions enterprise security teams ask, in the shape of a CAIQ-lite or SIG-lite. every answer here is honest. where a control is planned rather than in place, we say so. point your security reviewer at this page, or copy these answers into your form.

the deeper artifacts (master services agreement, data processing addendum, security posture one-pager) and the full sub-processor list live at /trust. for anything not covered below, write to calkire@noctaracorp.com and we will answer in plain language.

data security

Is customer data encrypted in transit?
yes
Yes. All traffic is served over TLS 1.2 or higher, terminated at Vercel and Supabase. There are no plaintext endpoints.
Is customer data encrypted at rest?
yes
Yes. Data at rest is stored in Supabase Postgres with managed AES-256 encryption. File storage uses the same managed encryption.
Where is customer data hosted, and in what region?
us
Data is hosted in the United States. The database and file storage are on Supabase (US-East) and the application is hosted on Vercel (US-East). Our sub-processors and their regions are listed at /subprocessors.
Do you store payment card data?
no
No. We do not store, process, or transmit cardholder data on our systems. Payments are handled entirely by Stripe, a PCI-DSS Level 1 service provider. We retain only Stripe customer and subscription identifiers, never card numbers.
Do you store health, medical, or government-identifier data?
no
No. We do not collect or store health records, medical data, or government-issued identifiers such as SSNs or passport numbers. The product makes no medical or diagnostic claims. We collect email, subscription status, and the behavioral aggregates described in the data flow at /trust.
What categories of personal data do you collect?
Email address, account and subscription metadata, and five behavioral aggregates (typing speed, edit ratio, pauses, rewrites, time to first key) computed during the structured prompt. Raw keystroke timing is computed on the device and is not stored server-side as raw biometric data.

access control

Who can access production data?
Access to production data is limited to the founder, who operates the company. There is no broad employee base with standing database access. Access follows least privilege: application code uses scoped, server-side service-role keys, and Supabase row-level security enforces per-user isolation on user-owned tables.
Are service-role and admin keys exposed to the client?
no
No. Privileged keys (Supabase service-role, Stripe secret, provider admin keys) live in server-side environment variables only and are never shipped to the browser or the mobile clients. Clients use scoped, public, row-level-security-bound credentials.
Is multi-factor authentication enforced on provider accounts?
yes
Yes. MFA is enabled on the underlying provider accounts (Vercel, Supabase, Stripe, domain and source-control providers) that hold administrative access to production infrastructure.
How do end users authenticate?
Consumer accounts authenticate by email plus the behavioral mark and Sign in with Apple. Identity grant tokens are HMAC SHA-256 signed, scoped to the requesting application, and revocable from the user dashboard. Enterprise SSO is handled through Clerk where applicable.

application security

Do you validate and sanitize input?
Yes. API endpoints validate request shape and content server-side. Database access is parameterized through the Supabase client, which guards against SQL injection, and row-level security constrains every query to the authenticated user.
How are secrets managed?
Secrets are stored as platform-managed environment variables on Vercel and Supabase. They are never committed to source control. Code is reviewed to keep credentials out of the repository.
Are scheduled jobs and webhooks authenticated?
yes
Yes. Scheduled jobs (cron) are gated on a Bearer CRON_SECRET, not on a spoofable platform header. Stripe webhooks are verified against the Stripe signing secret before any state change is applied.
Do you apply rate limiting and abuse controls?
Yes. Sensitive endpoints apply rate limiting (for example, IP-based limits on the compression gate) to reduce abuse and automated probing.

AI and sub-processors

Is customer data used to train AI models?
no
No. The compression and reading engine runs on the Anthropic API. Under Anthropic's commercial API terms, inputs and outputs submitted through the API are not used to train its models. We do not train our own models on private participant text without explicit consent.
Which sub-processors handle customer or participant data?
Database and file storage: Supabase (US-East). Hosting: Vercel (US-East). Authentication: Clerk (US-East). Payments: Stripe (US). Transactional email: Resend (US). Compression and reading engine: Anthropic (US). The maintained list, with notice terms, is at /subprocessors.
Will we be notified before you add a new sub-processor?
yes
Yes. We provide thirty days written notice before adding a new sub-processor that processes customer or participant data.

privacy and data rights

Can participants exercise data-subject rights (access, deletion, correction)?
yes
Yes. Participants can request access, correction, or deletion. Customer-initiated deletion is immediate at the API level: the user row is anonymized and PII tables (compressions, marks, identity grants, sessions) are hard-deleted within the same request. Requests go to her@noctaracorp.com.
What is your data retention policy?
Active customer data is retained for the duration of the subscription plus thirty days, after which it is eligible for deletion. Deletion requests are honored immediately regardless of that window.
Can coaches or organization administrators see a participant's raw answers?
no
No. The architecture separates the two surfaces by design. VEX coaches and organization administrators see aggregate and consented signals, never the participant's raw written answers. Individual-exposing endpoints are gated on explicit per-organization consent recorded at the moment of reveal. This separation is enforced in code, not just policy.
Do you run third-party trackers on the consumer surface?
no
We do not run third-party trackers on the consumer reading surface. We do not sell personal data to advertisers, insurers, data brokers, or governments. See the full refusals at /trust and the consumer policy at /privacy.

compliance

Are you SOC 2 certified?
not certified
Not yet certified, and not currently in an active audit. We operate the underlying readiness controls (encryption, least-privilege access, authenticated jobs, breach notification, deletion guarantees) described on this page and mapped to the Trust Services Criteria at /soc2-readiness. We will scope a formal SOC 2 audit (Type I, then Type II) as a closing condition for enterprise-tier engagements as demand warrants. We will not represent ourselves as certified before an audit report exists.
What is your GDPR / UK-GDPR / CCPA posture?
Our Data Processing Addendum is GDPR, UK-GDPR, and CCPA shaped. It defines the controller and processor roles, the sub-processor list, retention, deletion, and breach notice. Data-subject and consumer rights (access, deletion, opt-out of sale, which we do not do) are supported.
Do you offer a Data Processing Addendum?
yes
Yes. A DPA is available and ready for counsel review on your side. It is at /dpa, alongside the master services agreement and security posture.

business continuity

Do you back up data?
yes
Yes. We rely on Supabase managed backups of the production Postgres database. Recovery uses the provider's point-in-time and snapshot facilities.
What is your incident response process?
On a confirmed security incident affecting customer or participant data, we notify the customer's primary contact in writing within seventy-two (72) hours of confirmation, with a summary of scope, affected data, mitigation, and timeline. The full procedure is documented in the security posture at /incident-response.

vulnerability management

How do you manage dependency and platform vulnerabilities?
We keep dependencies current and apply security updates as they are published. Hosting and database run on managed platforms (Vercel, Supabase) that patch the underlying infrastructure. Code is reviewed for the common application risks (injection, broken access control, exposed secrets) before changes ship.
Have you completed a third-party penetration test?
planned
Not yet. A formal third-party penetration test is planned and will be scoped alongside the SOC 2 effort. We will share results with enterprise customers under NDA once it is complete. We will not claim a pen test has been performed before it has.
Do you have a way to report a vulnerability?
yes
Yes. Report any suspected vulnerability to calkire@noctaracorp.com. We will acknowledge and triage promptly.

questions

commercial or security questions during evaluation: calkire@noctaracorp.com.

privacy or data-rights requests: her@noctaracorp.com.

noctara, inc. is the operating subsidiary of pupul, inc. marietta, ohio.
this questionnaire reflects controls in place as of the date below. planned items are marked as planned and are not represented as complete.
last updated 2026-06-18.