Candorings
Start a study
Security & compliance

Where the data lives, and what it doesn’t.

Written for procurement, IT security, and legal reviewers — the facts as they stand today, including the things we don’t yet claim. No marketing wrapper.

A forwardable URL. If your security team needs a vendor questionnaire or a counter-signed DPA, see Contact below.

01Confidentiality is architectural

Enforced in code, not by policy.

Candorings can’t leak responses to the wrong party because the wrong party isn’t in the data path. These are structural guarantees, not promises.

  • Row-level security on every sensitive table. Default-deny, narrow policies; the database itself rejects cross-engagement reads.
  • The Synthesizer never sees leader identity. It receives evidence text only — no names, no roster, no link back to who said what — so even an arbitrary prompt cannot exfiltrate what isn’t in its context. Hypothesis-vs-evidence gaps are computed deterministically outside the synthesis call.
  • A deterministic Confidentiality Guard runs before the leader sees anything. It enforces the per-cut minimum-N, suppresses or merges small segments, and scrubs identifiers. It is not an LLM judgement.
  • Segmentation protects the individual, not just the average. Cuts by role, tenure, or sub-function are released only when the segment clears the minimum-N gate; smaller cuts are suppressed or merged.
02Sub-processors

Where your data is processed.

Every third party that can touch leader or respondent data, with region and transfer basis. Anthropic and Stripe are in the United States under Standard Contractual Clauses; everything else runs in the EU.

ServicePurposeRegionTransfer basis
Supabase
supabase.com/security
Managed Postgres (leader + respondent data, RLS-enforced), passwordless auth, storage.EUWithin the EU.
Anthropic
trust.anthropic.com
LLM inference for the Diagnostic Designer, Interviewer, Synthesizer, and Intervention Planner.United StatesEU → US under Standard Contractual Clauses and a signed DPA, on zero-retention, no-training terms.
Resend
resend.com/legal/security
Transactional email (magic-link sign-in, respondent invites, reminders).EUWithin the EU.
Stripe
stripe.com/privacy
Payment processing for per-engagement fees and the platform subscription.United States (Stripe global infrastructure)EU → US under Standard Contractual Clauses. Card data is collected by Stripe directly; Candorings never sees or stores card details.

Hosting: the application runs on managed serverless infrastructure. No respondent interview content is written to application logs; the canonical store is Supabase.

03Retention

What we keep, for how long, and what we don’t.

Raw interview transcripts exist only while an engagement is open. Once it closes they are deleted or irreversibly anonymised, leaving only the guarded, aggregate readout.

  • 01

    Raw interview transcripts

    Retained for the engagement, then deleted or anonymised

    After an engagement closes, raw transcripts are deleted or irreversibly anonymised; only the guarded readout remains. A leader can request earlier deletion.

  • 02

    Guarded readout & revenue actions

    Lifetime of the engagement

    Identifier-scrubbed and min-N-gated by the mandatory Confidentiality Guard before a leader ever sees it. Exportable or deletable on request.

  • 03

    Account, consent & billing records

    Lifetime of the account + statutory period

    Tied to the leader’s organisation; deleted on erasure, subject to EU tax and consumer-law retention.

  • 04

    Aggregated operational logs

    Limited operational retention

    Used for incident response and abuse detection. No respondent answers or interview content.

04Authentication & access

Passwordless, scoped, audited.

  • Revenue leaders sign in with single-use magic links to a verified work email. No passwords are stored or accepted, so there is nothing to phish or leak; issuance is rate-limited.
  • Respondents never create an account. Each invite is a unique, single-use, device-bound link scoped to one engagement and one response.
  • Operator access is limited to a small number of named staff through an environment-gated admin surface. Staff do not access interview content in normal operation; database access is logged.
  • Sessions are verified against the auth server on every request — the verified user, never a cookie taken on trust.
05Encryption & transport

Standard, end-to-end.

  • In transit: TLS 1.2+ on every connection — browser ↔ application, and application ↔ each sub-processor.
  • At rest: encryption is provided by each EU-region sub-processor: Supabase-managed Postgres, Resend, Stripe.
  • Card data: handled by Stripe directly. Candorings never sees or stores card numbers.
  • Secrets: application secrets live in the platform’s encrypted environment store; the service-role database key never reaches the browser.
06What we don’t claim

The things we’d rather you read here than not read at all.

The opposite of a marketing security page. If a control or certification isn’t below, assume we don’t have it yet — and if it matters to your review, tell us and we’ll say what the plan is.

No SOC 2

We have not completed a SOC 2 audit. We will publish a report when one exists, and not before.

No ISO 27001

Not pursued at this stage. We will reconsider when buyer demand makes it material.

No formal DPIA published

A Data Protection Impact Assessment is not yet on file. The product is GDPR-by-design — confidentiality is enforced structurally, not by policy — and is documented as such in the Privacy notice.

No sign-in CAPTCHA yet

Magic-link sign-in is rate-limited and does not reveal whether an address exists; a CAPTCHA is on the roadmap.

07Independent security review

Reviewed at source.

The codebase underwent a source-level security review on 2026-06-17, covering authentication, the confidentiality model and Confidentiality Guard, the interview engine, billing, and web-app hygiene across every database migration. No Critical findings were identified, and no reachable confidentiality leak, no IDOR, no authentication bypass, and no secret exposure were found.

The open items are hardening measures — notably HTTP security headers and a server-side cap plus rate limit on the AI interview path — rather than data-exposure defects, and are tracked for remediation before general availability. We can share the scope and remediation status on request as part of a vendor questionnaire.

08Breach notification

72 hours, in writing — what we know and what we’re doing.

If we become aware of a personal-data breach affecting leader or respondent data, we notify the relevant controller without undue delay and, where the breach is likely to risk data subjects, within 72 hours, in line with Article 33 of the GDPR. The procedural commitments live in our Data Processing Agreement, available on request.

09Legal documents

The disclosures, in one place.

Privacy notice

What we process, why, for how long, and the rights of leaders and respondents.

Terms of service

The contract for organisations using Candorings.

Data Processing Agreement

Roles, sub-processors, retention, transfers, security measures, and breach notification — available on request.

·Contact

For your security team.

For a vendor questionnaire, a counter-signed DPA, a sub-processor change-notification subscription, or any question this page leaves open, email security@candorings.com. We respond within two business days.

For data-subject requests (access, deletion, portability), email privacy@candorings.com.