Security
Effective May 2, 2026
WhatsMyESG (“WME”) is built on SOC 2 Type II infrastructure end-to-end and is operated with a small set of vetted vendors. This page documents how we protect your account, your data, and your payment credentials.
1. Encryption
- In transit.All connections to whatsmyesg.com and to our APIs are served over HTTPS with TLS 1.3. HTTP-to-HTTPS redirects are enforced at the edge.
- At rest. Database storage at our Postgres provider (Supabase) is encrypted with AES-256 at the storage layer. Object storage and backup volumes are encrypted with AES-256 by the underlying cloud provider.
- Secrets.Application secrets (API keys, service-role tokens, signing keys) are stored in Vercel’s environment-variable layer with restricted runtime exposure. They are never committed to source control.
2. Authentication
- Passwordless by default. We use magic-link email sign-in via Supabase Auth. We do not store user passwords, so password-database breaches at WME are not a threat vector.
- Session tokens. Sessions are issued as signed tokens with a finite lifetime; sign-out revokes them immediately on the device.
- Account recovery. Recovery is via the email-based magic-link flow. If you lose access to your email, contact info@whatsmyesg.com for a manual identity-verification path.
3. Data Isolation
We use Supabase Row-Level Security (RLS) on the Postgres tier so that authenticated requests can only read or write rows tagged with the requester’s user identifier. RLS policies are enforced at the database, not only at the application layer; a bug in our application code cannot bypass them.
4. Payments
Subscription payments are processed by Stripe, Inc.Stripe is certified PCI DSS Level 1, the highest level of payment-card-industry certification. Card numbers, CVV, and bank credentials are sent directly from your browser to Stripe’s servers. WME never sees, stores, or transmits your card data; we receive only an opaque customer-and-subscription handle.
5. Hosting & Infrastructure
| Layer | Provider & posture |
|---|---|
| Application hosting & CDN | Vercel, Inc. (SOC 2 Type II). U.S. edge regions for our origin. |
| Database & auth | Supabase, Inc. (SOC 2 Type II, ISO/IEC 27001:2022, GDPR-aligned). U.S. region for our project. |
| DNS & edge security | Cloudflare, Inc. for whatsmyesg.com. |
| Payments | Stripe, Inc. (PCI DSS Level 1). |
| Transactional email | Resend. |
| LLM inference (report synthesis) | OpenRouter, Inc. (LLM gateway). Routes requests to Anthropic, PBC ( anthropic/claude-opus-4.7 primary) with OpenAI, OpC as automatic fallback. Inputs are limited to the entity name and any notes you provide; no payment data, no account credentials, and no PII beyond that are transmitted. Each provider applies its own standard enterprise API data-handling policy. |
6. Backup & Continuity
- Database backups. Supabase performs automatic daily backups for our Postgres instance. We hold the retention window appropriate to our subscription tier and increase retention as our customer base grows. Production schemas are versioned in source control so the application can be rebuilt from clean state.
- Application redeployability. The application is deployed from version control on Vercel. We can roll forward or roll back to any tagged release in minutes.
- Recovery posture. We maintain documented recovery steps for the database and application tiers. We test the database-restore path on a non-trivial cadence; we do not publish RTO/RPO numbers we have not measured.
7. Access Control & Operations
- Production access is restricted to authorized operators with two-factor authentication on every relevant vendor console (Vercel, Supabase, Stripe, Cloudflare, Resend).
- We follow the principle of least privilege; service-role tokens have the narrowest scope sufficient to operate.
- Application logs are retained for security and audit purposes per the schedule disclosed in our Privacy Policy.
8. Data Retention & Deletion
Account data is retained while your subscription is active and for 30 days after cancellation, after which it is hard-deleted. On verified user request, we delete account data and reports sooner. Backups containing already-deleted records age out of the backup retention window on the schedule above. See Privacy Policy § 3 for the full retention table.
9. Vulnerability Disclosure
If you have identified a security issue affecting WME, please report it to security@whatsmyesg.com. If security@ bounces during the pre-launch period, write to info@whatsmyesg.com with “Security” in the subject line. We commit to:
- Acknowledge receipt within three (3) business days.
- Triage the report and respond with a substantive update within fourteen (14) business days.
- Not pursue legal action against good-faith researchers who comply with this policy — namely, do not access or modify data beyond what is necessary to demonstrate the vulnerability, do not disrupt service, and give us a reasonable window to remediate before public disclosure.
Bug bounty. We do not currently operate a paid bug-bounty program. We will publicly credit reporters who wish to be named and whose findings result in a security fix. We intend to launch a paid program when revenue scale supports it.
10. Incident Response
If we determine that a security incident has compromised personal information of identifiable users, we will notify affected subscribers and, where required, regulators within the statutory window applicable to the affected jurisdictions (including, where applicable, the 72-hour window under GDPR Art. 33 and the “most expedient time” standard under Texas Bus. & Com. Code § 521.053).
11. Subprocessor Changes
Our list of subprocessors is published in the Privacy Policy § 4. We will update that section before adding a new subprocessor that processes personal information.
12. Contact
Vertexium Environmental Solutions
Dallas, Texas, United States
security@whatsmyesg.com · info@whatsmyesg.com