Security
A founder's strategy, customer interviews, financials, and pitch are some of the most sensitive material a company holds. NextStage treats it that way at every layer — encryption in transit, encryption at rest, audited infrastructure, peer-reviewed code, and access controls enforced at the database.
01
All traffic between your browser, our servers, our database, and every third-party we touch is encrypted with TLS 1.2 or higher. HTTPS-only by default. WebSocket connections use WSS.
02
Every row of your data — the loadout slots, vault documents, generated artifacts, chat history, evidence library — is encrypted at rest with AES-256. Storage objects are encrypted. Backups are encrypted.
03
NextStage is built on SOC 2 Type II compliant providers end-to-end. Every layer your data touches — database, hosting, models, compute, observability, email — is independently audited.
04
Every code change passes peer review, an automated test suite, and continuous dependency vulnerability scanning before it merges. Production deploys are immutable. Secrets are never committed.
05
Point-in-time recovery on the primary database. Cross-region backups stored separately from production infrastructure. Backups are encrypted and access-restricted.
06
Role-based permissions enforced at the database level via Row-Level Security. Coaches see what they should. Cofounders see what they should. Nothing leaks across boundaries.
Audited infrastructure
NextStage is composed of a small set of providers, each with their own SOC 2 Type II attestation. Your data flows through them; their audits cover them.
| Provider | Role | Attestation |
|---|---|---|
| Supabase | Database, storage, auth, realtime | SOC 2 Type II |
| Vercel | Hosting, edge network, deployments | SOC 2 Type II |
| Anthropic | Claude — language model | SOC 2 Type II |
| OpenAI | Whisper, fallback embeddings | SOC 2 Type II |
| Modal | Self-hosted NLI compute (MiniCheck) | SOC 2 Type II |
| Resend | Transactional email | SOC 2 Type II |
| Sentry | Error monitoring | SOC 2 Type II |
Compliance posture
Today
Every claim on this page is true now. Encryption is on by default. Backups are running. Code review and dependency scanning are part of every merge. The infrastructure NextStage runs on is independently audited at SOC 2 Type II.
In progress
NextStage's own SOC 2 Type II attestation is being prepared. The application layer — our policies, access controls, and incident response — is in audit. Once attested we'll publish the report under NDA on request.
Annually
Independent penetration testing on the application surface. Findings remediated and re-tested before the engagement closes.
Report a vulnerability
We treat security reports seriously and respond within one business day. Email security@nextstage.co with steps to reproduce. Coordinated disclosure honored. We don't pursue researchers acting in good faith.
Encryption, audited infrastructure, and access controls are the floor. The work is what compounds.