PE OS

Get Started

Security & Trust

Last updated: April 30, 2026

Your deal data, secured.

Pocket Fund is built for private equity firms handling LOIs, signed NDAs, and confidential CIMs. Security is foundational — not a checklist.

Supabase SOC 2 Type IIVercel SOC 2 Type IIAES-256 at restTLS 1.2+ in transit34 automated isolation tests
Download Security Overview (PDF)Request DPA

Where your data lives

All Pocket Fund data is processed and stored on enterprise-grade, SOC 2 Type II certified infrastructure:

  • Database, authentication, file storage: Supabase (AWS, US region) — SOC 2 Type II
  • Application hosting: Vercel (serverless, global edge) — SOC 2 Type II
  • AI processing: OpenAI, Anthropic, Google (each SOC 2 Type II); Azure Document Intelligence

No customer data is stored on unmanaged servers or developer machines. See full sub-processor list below.

Encryption

In transit

TLS 1.2 or higher on all connections. TLS 1.3 negotiated when supported by client. HTTPS enforced via HSTS.

At rest

PostgreSQL encrypted with AES-256 via Supabase-managed disk encryption. File storage encrypted at rest by Supabase Storage. Encrypted automated backups retained per Supabase policy.

Tenant isolation

Every record in every scoped table is tagged with an organizationId. Server-side middleware enforces this on every API route — there is no "trust the client" path.

How we prove it:

  • 34 automated cross-organization testsrun on every deploy. Each one actively attempts to read or write another organization's data and verifies the API rejects it.
  • 268 explicit org-scope checks across 45 API route files (audited 2026-04-30).
  • Cross-org access attempts return HTTP 404, not 403, to prevent resource enumeration.

Customers on the Team plan or higher can run a live isolation check from their Settings → Security panel and download a JSON report.

AI & LLM data handling

Pocket Fund uses AI from OpenAI, Anthropic, Google, and Azure. We use the API tiers of each, which contractually do not train models on customer data.

  • OpenAI: API data not used for training (policy)
  • Anthropic: API data not used for training (policy)
  • Google Gemini: API data not used for training (policy)
  • Azure Document Intelligence: customer data isolated, not used for model improvement

Your CIMs, LOIs, and memos never feed any model — ours or theirs.

Access controls

  • Authentication: Supabase Auth with optional TOTP-based two-factor authentication (Google Authenticator, Authy, 1Password compatible)
  • Org-wide MFA enforcement: admins can require all members to enable 2FA
  • 9-tier role-based access control: admin, partner, principal, vp, associate, analyst, ops, member, viewer
  • Rate limiting: three tiers — general (600 req / 15 min), AI (10 req / min), writes (30 req / min)
  • Standard hardening: helmet middleware, CORS allow-list, JWT-based session tokens

Audit logging

Every sensitive action is logged with timestamp, user ID, organization ID, resource ID, action, and severity. Customer admins can view, filter, and export their organization's audit log directly from the Admin Dashboard.

Tracked actions include:

  • Authentication events (login, logout, failed login, password reset, MFA changes)
  • Deal lifecycle (created, updated, deleted, viewed, stage changed, assigned, exported)
  • Document operations (uploaded, deleted, downloaded, viewed)
  • Memo operations (created, updated, deleted, approved, exported, shared)
  • User management (created, updated, deleted, invited, role changed)
  • System operations (settings changed, bulk export, API key lifecycle, isolation test runs)

60+ distinct action types across 9 resource types are tracked.

Sub-processors

The third parties that process customer data on our behalf, listed below. We notify customers 30 days before adding any new sub-processor.

ProviderServiceRegionCertificationsDPA
SupabaseDatabase, authentication, file storageUS (AWS)SOC 2 Type IIDPA
VercelApplication hosting (serverless)Global (edge)SOC 2 Type IIDPA
OpenAIGPT-4o (extraction, classification, chat)USSOC 2 Type IIDPA
AnthropicClaude (financial cross-verification)USSOC 2 Type IIDPA
GoogleGemini (LLM router fallback)USSOC 2DPA
Microsoft AzureDocument Intelligence (PDF extraction)USSOC 2 Type II, ISO 27001DPA
ApifyWeb search (firm research agent)US/EUSOC 2DPA
ResendTransactional email (invitations, alerts)USSOC 2 Type IIDPA
SentryError monitoring (sanitized stack traces only — no customer data in payloads)USSOC 2 Type IIDPA

Founder pledge

I, Ganesh Jagtap, founder of Pocket Fund, commit to the following — in plain language, signed and dated, with my name on it:

  • We will never sell, share, or repurpose your data. Your deal pipeline, LOIs, valuation models, and contacts are yours. We are a custodian, not an owner.
  • Your data is never used to train AI models— ours, OpenAI's, Anthropic's, Google's, or any other provider's. We use API tiers explicitly because they exclude customer data from training.
  • Pocket Fund staff access is logged.Every time any member of our team accesses your data, you see it in real-time in Settings → Security & Privacy. Today, the count is zero. We intend to keep it there.
  • You will get 90 days notice before we add any new sub-processor, with a clear opt-out path.
  • Breach notification within 72 hours. If your data is ever exposed, you will hear from me directly — by phone or email, not via a buried status page update.
  • You can leave at any time. Full data export on request, complete deletion within 30 days of contract end, with a signed deletion certificate.
  • The founder is personally accountable. If anything goes sideways, you have a name to call: ganesh@pocket-fund.com.

Ganesh JagtapFounder, Pocket Fund

Last signed: May 2026

Compliance roadmap

  • SOC 2 Type I: in progress; target completion date available on request.
  • SOC 2 Type II: following Type I
  • Annual penetration test: planned for the next quarter
  • GDPR: DPA available on request; data deletion within 30 days of contract termination

Contact

Security questions, vulnerability reports, or compliance inquiries: security@pocket-fund.com

Urgent security issues: tech@pocket-fund.com

For DPA, MNDA, or sub-processor list requests, email above with subject line indicating the request type.