How ExecReps Protects Your Data
A Technical Security Overview
For CTOs, CISOs, and IT leaders evaluating ExecReps for their organization.
ExecReps processes sensitive data — voice recordings, performance assessments, career goals, and organizational practice patterns. Enterprise buyers deserve full transparency into how that data is protected.
This document is written for the person who fills out vendor security questionnaires — not marketing. Every claim below is verifiable against our production architecture.
Infrastructure & Hosting
| Layer | Provider | Detail |
|---|---|---|
| Application hosting | Vercel (Enterprise) | Next.js 15 on Vercel's Edge Network. All traffic served over TLS 1.2+. Automatic DDoS protection via Vercel's infrastructure. |
| Database | Supabase (PostgreSQL 15) | Managed PostgreSQL with connection pooling via Supavisor. Database hosted on AWS infrastructure in the US. |
| Authentication | Supabase Auth | Built on GoTrue. Supports email/password with magic link, Google OAuth, and SSO (SAML 2.0 available via Supabase enterprise). |
| File storage | Vercel Blob Storage | Audio recordings stored with signed URLs — no public access. URLs expire after configurable TTL. |
| DNS & CDN | Vercel Edge Network | Global CDN with automatic SSL certificate management. HSTS enabled. |
What this means: Your data never touches a server we manage directly. Infrastructure security (patching, network isolation, physical security) is handled by Vercel (SOC 2 Type II) and Supabase/AWS (SOC 2 Type II, ISO 27001).
Data Encryption
In Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. This includes:
- API requests (workout submissions, analytics queries, team management)
- Audio file uploads and playback
- Authentication tokens and session data
- Webhook payloads between services
At Rest
- Database: Supabase encrypts all data at rest using AES-256 via the underlying AWS infrastructure
- Audio files: Stored in Vercel Blob with AES-256 encryption at rest
- Backups: Supabase automated daily backups are encrypted
Authentication & Access Control
User Authentication
- Magic link email — passwordless primary flow (reduces credential stuffing risk)
- Google OAuth — delegated authentication via Google's identity provider
- Email verification required before accessing any team or workout data
- Session management via Supabase Auth with JWT tokens (short-lived access tokens + refresh tokens)
- Domain-based team matching requires verified email
Row-Level Security (RLS)
Every database query passes through PostgreSQL Row-Level Security policies. This is not application-level filtering — it's enforced at the database engine level.
What RLS means in practice:
- A member of Team A cannot query, join, or see any data belonging to Team B
- Team managers see analytics only for their assigned sub-teams, enforced by database policy
- Account managers see all teams but cannot modify account settings or billing
- Even our own application code cannot bypass these policies when running as a user context
Role-Based Permissions
| Role | Scope | Can Access |
|---|---|---|
| Owner | Root team | Everything including billing, account deletion |
| Admin | Root team | Team settings, all analytics, member management, feature flags |
| Account Manager | All teams | CSV import/export, all team analytics, sub-team creation. Cannot access billing or account settings. |
| Manager | Assigned sub-teams only | Analytics and member management scoped to their subtree |
| Member | Own data only | Personal workout history, scores, and career profile |
Data Processing & Sub-Processors
See full list at /sub-processors. Key processors:
| Sub-Processor | Data Processed | Purpose |
|---|---|---|
| OpenAI (GPT-4) | Workout text prompts, user responses (text) | AI-powered scoring and feedback |
| AssemblyAI | Audio recordings | Speech-to-text transcription |
| Stripe | Payment info, billing emails | Subscription billing |
| Supabase | All application data | Database, auth, storage |
| Vercel | Application code, request logs | Hosting and CDN |
| Resend | Email addresses, names | Transactional email delivery |
| Aikido Security | Source code (read-only) | Continuous security scanning (SAST, DAST, SCA, secrets, license compliance) |
Voice Data Lifecycle
- User records audio in browser (WebRTC, never leaves device until submit)
- Audio uploaded via signed URL to Vercel Blob (TLS in transit, AES-256 at rest)
- Sent to AssemblyAI for transcription (processing only, not stored by AssemblyAI after processing)
- Transcript sent to OpenAI for scoring (processing only, not stored per our API agreement)
- Scores and feedback stored in Supabase database
- Audio files retained per team admin's configured retention policy
- Users can delete their own recordings at any time
Key privacy point: Neither AssemblyAI nor OpenAI retain your data after processing. We use API agreements that explicitly prohibit training on customer data.
Compliance Status
| Framework | Status | Detail |
|---|---|---|
| SOC 2 Type II | Via infrastructure providers | Vercel and Supabase/AWS maintain SOC 2 Type II. ExecReps application-level SOC 2 planned for 2026. |
| GDPR | Compliant by design | Data minimization, right to erasure, data portability, sub-processor transparency, DPA available. |
| CCPA/CPRA | Compliant | Do-not-sell honored, deletion requests processed within 30 days, no data selling. |
| FERPA | Architecture supports | RLS isolation supports educational institution requirements. Formal certification not yet pursued. |
| HIPAA | Not applicable | ExecReps does not process protected health information. |
Transparency Notes
- Audit logging: In development — will track admin actions, data exports, and permission changes with immutable logs
- Data retention controls: Team admins will be able to set retention policies per data type
- Security scanning: Continuous automated security scanning via Aikido Security (SAST, DAST, SCA, secrets detection). OWASP ZAP and Semgrep being added to CI/CD pipeline. Formal third-party penetration test planned for 2026.
- Bug bounty: Under evaluation
Incident Response
- Supabase and Vercel handle infrastructure-level incident response per their published policies
- Application-level incidents: We commit to notifying affected customers within 72 hours of confirmed data breach (GDPR requirement)
- Contact: security@execreps.ai
Requesting More Information
For enterprise security questionnaires, DPA requests, or detailed technical questions:
- Email: security@execreps.ai
- Sub-processors: /sub-processors
- Privacy Policy: /privacy
- Terms of Service: /terms
We're happy to schedule a technical deep-dive with your security team.
Last updated: March 2026
Legal entity: Product Coalition, Inc. (Delaware)