Security
You're uploading legal documents. We treat them that way.
ExactCircle stores signed buyer representation agreements — documents with real names, real contact information, and real financial terms. Our security posture reflects that. Here's how we protect your data, without the marketing fog.
Encryption at rest and in transit
All traffic is TLS 1.2+. PDFs are encrypted at rest using AES-256 managed by our storage provider. No customer file is ever stored unencrypted on disk.
Short-lived signed URLs
PDFs are served via signed URLs that expire in 60 minutes. There are no public buckets, no shareable links, and no long-lived tokens embedded in the app.
Row-level data isolation
We enforce Postgres Row Level Security on every table. A query issued by one agent physically cannot return another agent's rows — it is a database-layer guarantee, not an application check we hope is correct.
No training on your data
Your agreements are not used to train AI models. We do not share customer data with third parties beyond the infrastructure providers required to run the product.
Tight access control
Only a small number of engineers can access production infrastructure, and all production access is logged. We do not casually browse customer data.
Known-good infrastructure
We host on Vercel (US regions) with Supabase for Postgres and object storage. Email via Resend. All three are SOC 2 compliant providers. Full subprocessor list available on request.
Compliance status
ExactCircle is an early-stage product being used by working agents. We are transparent about where we are on the compliance ladder — the short version is below.
- GDPR / CCPA
- Compliant — data export and deletion on request within 30 days.
- SOC 2
- Inheriting from underlying providers (Vercel, Supabase). Independent audit: on roadmap for post-revenue.
- Data residency
- All data stored in US regions.
- Backups
- Automatic daily Postgres backups retained for 7 days; storage objects are replicated.
- Subprocessors
- Vercel, Supabase, Resend. Full list with purposes available on request.
- Breach notification
- We notify affected customers within 72 hours of confirmed compromise.
Questions or want a signed subprocessor list? Contact us.
Still evaluating? Talk to us.
Security reviews welcome. We'll answer honestly, including what we haven't done yet.