Cap tables, financial models, term sheets — we treat them with the same controls a Tier-1 bank would.
TLS 1.3 across all endpoints, with HSTS preload. No HTTP fallback, ever.
AES-256 on all primary databases, S3 buckets, and backups. Keys managed in AWS KMS with annual rotation.
Internal access governed by least-privilege roles. Only on-call engineers can read production logs. All access audited.
Hardware-key MFA mandatory for all employee accounts (Google Workspace, AWS, GitHub, Vercel, Stripe, Postmark).
Founder data rooms require investor NDA acceptance. Every view is logged. Founders can revoke access with one click.
Every read of a founder artefact is timestamped, attributed, and exportable by the founder at any time.
Sentry, CloudWatch, and a SOC2-aligned alerting pipeline. PagerDuty escalation for any P1 incident.
Independent third-party penetration test every quarter. Latest report available under NDA on request.
Every subprocessor (Stripe, Postmark, Cloudflare, Sentry) vetted annually for SOC2 Type II.
We run a responsible-disclosure program. Email security@pocketfund.in with details of the issue, steps to reproduce, and your PGP key (if any). We'll acknowledge within 24 hours, triage within 72 hours, and credit you in our hall of fame on resolution. We pay bug bounties for verified vulnerabilities — see the policy on the contact page.