Security & Trust
We sell incident readiness. Ours included.
You trust poisettx with your policies, your plans, and how your team responds under pressure. Here is exactly how we protect that, without marketing gloss.
Encryption everywhere
All data is encrypted in transit (TLS) and at rest. Uploaded documents live in private storage buckets; downloads use short-lived signed URLs.
Hard tenant isolation
Every organization's data is isolated at the database level with row-level security. Isolation is enforced by the database itself, not just application code.
Passwordless authentication
Sign-in uses signed magic links: no passwords to phish, leak, or reuse. Role-based access separates admins from participants inside each organization.
AI data handling
Exercise generation sends your organization profile, selected documents, and session transcripts to the Anthropic API. API data is not used to train models, and we never train models on your data ourselves.
Auditable by design
Sessions are fully logged: transcripts, response times, and debrief reports give you the evidence trail NIS2 audits ask for, and us a clear record of what the platform did.
Responsible disclosure
Found a vulnerability? Tell us at support@poisettx.com and we'll respond fast, fix it, and credit you if you want. We won't take legal action against good-faith research.
Subprocessors
The vendors we rely on to run the platform, what they see, and under which safeguards. The same list, with legal bases, lives in our privacy policy.
| Vendor | Purpose | Location & safeguards |
|---|---|---|
| Supabase | Database, authentication, and file storage | EU region (hosted on AWS). Data processing agreement; encryption at rest and in transit. |
| Vercel | Application hosting and content delivery | Global edge network; compute in EU/US regions. Data processing agreement; EU Standard Contractual Clauses. |
| Anthropic | AI generation (simulations, documents, agents, debriefs) | United States. API data is not used to train models; EU Standard Contractual Clauses / EU-US Data Privacy Framework. |
| Stripe | Subscription billing and payment processing | EU/US. PCI-DSS certified; EU Standard Contractual Clauses. |
| Voyage AI | Document embeddings for in-exercise document search | United States. EU Standard Contractual Clauses. |
| Calendly | Demo scheduling | United States. EU Standard Contractual Clauses. |
Compliance, honestly
We are an early-stage company and we won't pretend otherwise: SOC 2 and ISO 27001 certifications are on our roadmap, not on our wall. What we can say today: the platform is built GDPR-first (EU data residency for the primary database, documented subprocessors, data processing agreements available on request via support@poisettx.com), it is designed to produce the exercise evidence NIS2 Article 21 asks of our customers, and we run our own incident tabletops on poisettx itself.
Questions our security page doesn't answer?
Security reviews and DPA requests welcome. We answer vendor-assessment questionnaires faster than most.