Skip to content
Security

Built for fundraisable data.

Your plan contains the most sensitive numbers in your business — valuations, projections, customer pipeline, cap table. CoreNode is built to investor-grade security from the foundation, not retrofitted.

Last updated · 12 May 2026

Auth & sessions

Supabase Auth with httpOnly session cookies (no JWT in localStorage). Sessions are server-only and bound to client cookies; tokens never live in browser JS. Password reset over signed email links with short expiry.

Data at rest

Postgres + Storage hosted in EU region under SOC 2 Type II controls. Row-level security (RLS) enforces user + organization scoping on every query. Database backups encrypted; point-in-time recovery configured.

Data in transit

TLS 1.3 end-to-end. HSTS preload-listed. Strict CSP including frame-ancestors. Service-to-service calls use mTLS where supported by the upstream.

AI inference

Anthropic Claude with zero retention enabled — your plan content is not used to train shared models and is not retained beyond the request. We rotate API keys quarterly.

Engineering practices

Every commit, every release.

  • Dependency scanning on every commit (Dependabot + npm audit on CI).
  • Pre-merge type-check, lint, unit, integration, visual regression, a11y, Lighthouse gates.
  • Sentry monitoring with alerting on auth/payment/data-export error rates.
  • Quarterly key rotation; service-role keys held in secrets manager, never in source.
  • Incident response runbook with documented escalation path.
Disclosure & audits

Responsible disclosure: report vulnerabilities to security@corenode.app. We acknowledge within one business day. For SOC 2 reports, penetration test summaries, or DPA copies, contact us under NDA.

Get in touch