Your data lives in your tenant.
We never sell, share, or train AI models on it. The AI loops are bounded to your tenant’s data; they cannot cross-tenant.
Security & trust
Your data, your credentials, your business.
We host your operations. We don’t own your business.
SOC 2 in progressPCI via StripeBYO Stripe, QBO, Twilio, SendGrid
Compliance + integrations
Trust signals, plain and visible
No seals, no shields. The status is the signal — written out, kept current, and equal in weight to what is still in progress.
AuditSOC 2 Type IIType II audit underway. Report targeted for Q4 2026.In progress
PaymentsPCI DSSSecure payments powered by Stripe. We never see or store your card information.Via Stripe
PrivacyGDPR + CCPAData-subject-rights requests by email today; self-serve portal ahead of GA.DSR portal
IntegrationsBYO credentials
StripeQuickBooksTwilioSendGrid
Your accountsData ownership
Your data, your credentials
Your accounts, your billing.
Your Stripe receives the payments. Your QuickBooks has the synced invoices. Your Twilio sends the SMS. Your SendGrid sends the email. We help you connect them; we do not own them.
You can export anytime.
Standard formats — CSV for tables, JSON for complex entities, original files for attachments. Cancellation gives you 7 days to export before we purge.
Honest SOC 2 disclosure.
We are SOC 2 Type II in progress. The audit lands in Q4 2026. We disclose the status honestly — no marketing-flex on an unfinished audit.
Compliance posture
Where we are. Where we are not.
The rows we have not finished are listed with the same dignity as the ones we have. That is the point.
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Audit target Q4 2026. |
| PCI DSS | Via Stripe | Payments processed by Stripe (certified PCI-DSS Level 1). Card details never touch our servers. |
| GDPR | DSR portal | Customer-facing DSR submission. 30-day response. |
| CCPA | DSR portal | Customer-facing DSR submission. 45-day response. |
| HIPAA | Not in scope | We do not host PHI. Service shops do not need HIPAA. |
| ISO 27001 | Not yet | Will revisit at $5M ARR. |
SOC 2 Type IIIn progress
Audit target Q4 2026.
PCI DSSVia Stripe
Payments processed by Stripe (certified PCI-DSS Level 1). Card details never touch our servers.
GDPRDSR portal
Customer-facing DSR submission. 30-day response.
CCPADSR portal
Customer-facing DSR submission. 45-day response.
HIPAANot in scope
We do not host PHI. Service shops do not need HIPAA.
ISO 27001Not yet
Will revisit at $5M ARR.
How we handle data
Encryption, backups, payments, incident response
01
Encrypted at rest (AES-256) and in transit (TLS 1.3).
02
Daily encrypted backups; 30-day retention. Point-in-time recovery to any moment in the last 7 days.
03
Hosted on Supabase (database) and Vercel (web app). US-East-2 primary, US-West-2 backup.
04
Incident response: any security event triggers a tenant notification within 24 hours via email. A public status page lands ahead of GA.
05
Payments are securely processed by Stripe, a certified PCI-DSS Level 1 Service Provider — the highest level of payment-security compliance. Your card details are encrypted and sent directly to Stripe; they never touch our servers, and we never store your card number.
DSR portal
CCPA + GDPR request submission
CCPA and GDPR data-subject-rights requests can be submitted by email. Anyone — your customers, your customers’ attorneys — can submit a request. We respond within the statutory timelines (30 days GDPR, 45 days CCPA per California and EU privacy law). A self-serve DSR portal lands ahead of GA.
Security FAQ
What buying committees ask
Supabase (database) and Vercel (web app). US-East-2 primary, US-West-2 backup. We can offer EU-hosting for European tenants — talk to sales.
Yes, anytime. CSV for tables, JSON for complex entities, original files for attachments. On cancellation, you have 7 days to export before we purge.
SOC 2 Type II audit in progress, target completion Q4 2026. We disclose the status honestly — we do not claim certified until certified.
Email privacy@tradeskit.io. Anyone — your customers, your customers’ attorneys — can submit a request. We respond within statutory timelines (30 days GDPR, 45 days CCPA).
No. Our AI loops are bounded to your tenant — they read your data, act within your tenant, and never cross tenants. We do not use customer data to train base models. We disclose this in the MSA.
Yes — BYO-credentials is our standard. Your accounts, your billing, your contracts. We help you connect them; we do not own them.
Payments are securely processed by Stripe, a certified PCI-DSS Level 1 Service Provider — the highest level of payment-security compliance. Your card details are encrypted and sent directly to Stripe; they never touch our servers, and we never store your card number.
Standard is 99.9% on the Scale tier. 99.95% optional add-on on Enterprise. We email tenant admins within 24 hours of any outage; a public status page lands ahead of GA.
Google + Microsoft SSO on Scale and Enterprise tiers. Custom SAML SSO in V2 — talk to sales if you need it sooner.
We do not open-source the platform, but we can provide architecture diagrams + a security architecture review for Enterprise customers under MSA.
Talk to our team about your security review
We will share the architecture diagram, the SOC 2 progress letter, and an open Q&A with the engineering lead.