Honest Growth

Security · honest answers, no certifications we don't hold

How we secure your data.

Honest answers about a small company's security posture. No certifications we don't hold, no claims we can't back. Here is exactly how your data is handled.

Encryption

All traffic between your browser, our servers, and every vendor we rely on is encrypted in transit with TLS 1.3. There is no unencrypted path into the application.

At rest, your data is encrypted with AES-256. Meta access tokens are encrypted as individual database fields, not just at the disk layer, so a database snapshot on its own does not expose a usable token.

Data residency

The application database is hosted on Supabase, a managed Postgres provider. Your account data is stored and processed in the United States.

Data retention

We hold your data only as long as you have an account, and we wipe it within 30 days of deletion. The full data doctrine — what we keep, for how long, and how to export or delete it — is on the privacy page.

Subprocessors

Every third-party vendor that touches your data is listed publicly, with what it is used for and what data it sees, on the subprocessors page. We do not add a vendor without disclosing it there.

Incident response

If we detect a security incident affecting customer data, we commit to notifying affected customers within 72 hours of confirming it — with what happened, what data was involved, and what we are doing about it.

To report a vulnerability or a suspected incident, email security@nachiketpai.com. Reports are read by the founder directly.

Compliance status — the honest version.

We would rather under-claim here than have a security review catch us overstating. This is where we actually stand.

SOC 2

Not yet

We do not hold a SOC 2 certification. Honest Growth is a small company and a formal audit is not something we can claim today. If we pursue one, this page will say so with a date.

GDPR

Aligned

We are GDPR-aligned: data minimization, a documented retention policy, export and deletion on request, and a public subprocessor list. We are not claiming a third-party certification — we are describing how the product is built.

Data Processing Agreement

Available

A DPA is available for customers who need one. It is summarized, and can be requested, on the DPA page.

Security questions, vendor reviews, or a vulnerability to report?

security@nachiketpai.com