Business Trust
Trust Building
Strengthening Ecosystems
Ensuring Business Longevity
Trust

Security & Data Handling

A plain-English summary of how we protect the information you trust us with. We deliberately do not display certifications we have not yet earned.

Where your data lives

Canvas content and account profiles are stored in a managed Postgres database hosted in the EU. The application itself runs on Cloudflare's edge network. All traffic is encrypted in transit via TLS, with HSTS enforced on our custom domain.

Encryption

  • In transit: TLS 1.2+ end-to-end, HSTS preload-ready.
  • At rest: AES-256 disk-level encryption by our infrastructure provider.

Tenant isolation

Every row of canvas and profile data is scoped to your user ID via Postgres Row-Level Security policies. These policies are enforced at the database layer — not in application code — so even a bug in our frontend cannot expose another user's data to you.

Authentication

  • Email + password with bcrypt hashing handled by our authentication provider.
  • Compromised-password checks (HaveIBeenPwned) are enabled at sign-up and password change.
  • Email verification is required before sign-in.
  • Session tokens are short-lived and rotated on refresh.

Browser hardening

Every response carries strict security headers, including a Content-Security-Policy with frame-ancestors 'none' to prevent clickjacking, X-Content-Type-Options: nosniff, a restrictive Permissions-Policy, and Referrer-Policy: strict-origin-when-cross-origin.

Backups & recovery

The managed database performs daily off-site backups. We additionally snapshot user workspace and profile tables nightly into a private retention table kept for 30 days, giving us a second recovery path for accidental deletions.

AI processing

When you click "Assess", the contents of that canvas are sent over TLS to an AI gateway to generate the assessment. The provider does not retain prompts for model training. No data is sent to the AI unless you trigger an assessment.

Payments

Payments are processed by PayPal. We never see, store, or transmit your card or bank details.

Responsible disclosure

If you believe you have found a security issue, please email security@businesslongevity.us. Please give us a reasonable window to investigate and remediate before publishing details. We will credit researchers who follow this process.

What we are not claiming

We are an early-stage product. We are not currently SOC 2, ISO 27001, or HIPAA certified, and we do not display badges for certifications we have not earned. We will update this page when that changes.