Policy Stack handles sensitive financial data — policy values, loan balances, capital deployments, and carrier information. Our security architecture reflects the sensitivity of that data at every layer.
Every financial value stored in Policy Stack — cash values, death benefits, loan balances, premium amounts, deployment figures, and policy numbers — is encrypted at rest using AES-256-GCM field-level encryption. Each encrypted field uses a unique initialization vector and authentication tag. Raw financial data is never stored in plain text.
All data in transit is protected with TLS 1.3. Whether you're entering a snapshot or reviewing your capital position, your connection is encrypted end to end.
Encryption keys are stored in environment variables, never in code. Key rotation is supported — new keys encrypt new writes while a background process re-encrypts existing records.
Policy Stack uses passwordless authentication. You sign in via a magic link sent to your email or through Google OAuth with PKCE verification. We never store a password on your behalf — because there isn't one.
Sessions use short-lived access tokens (1-hour expiry) with automatic refresh token rotation. Every login creates a session log entry. Signing out revokes all active sessions immediately.
Multi-factor authentication (TOTP) is available for all users and encouraged for paid tiers. Sensitive actions — data export, account deletion, billing changes, and revoking advisor access — require re-authentication if your last login was more than 15 minutes ago.
Every query to our database is filtered by row-level security (RLS) policies enforced at the PostgreSQL engine level — not in application code. Your policies, loans, deployments, and goals are invisible to any other user, including our team.
RLS policies are applied to every table in the database with no exceptions. Audit logs are write-only via service role to prevent users from injecting or modifying log entries. Soft deletes are enforced — deleted records are filtered from all queries automatically.
When you link an advisor to your account, they receive read-only access to your policies, loans, and deployments. Advisors can never write to your data. You must explicitly accept the link, and you can revoke it at any time — revocation is immediate and permanent.
Advisors cannot see other advisors' clients. All advisor access is logged to the audit trail. Monitoring rules flag unusual access patterns, such as an advisor accessing more than 20 unique client accounts in an hour.
All API endpoints are rate-limited to prevent abuse and brute-force attacks:
Rate-limited responses return HTTP 429 with a Retry-After header.
Policy Stack uses a referral attribution cookie — a 90-day first-touch cookie that stores the referring advisor's ID for referral tracking. This cookie is set when a consumer arrives via an advisor's referral link and is used solely to attribute the referral. No third-party tracking cookies or advertising pixels are used. See our Privacy Policy for the full cookie table.
Policy Stack uses third-party AI models via OpenRouter (currently routing to Anthropic Claude and Google Gemini) for the AI Assistant and document extraction. Your financial data is sent to the AI only when you use these features, and only the data relevant to your question. Neither OpenRouter nor the underlying model providers use API inputs to train models.
Our AI pipeline includes four layers of protection against prompt injection: input sanitization that strips code blocks, HTML tags, and role markers; system prompt isolation where user input never appears in the system message; structured data injection using typed JSON rather than string concatenation; and output validation that checks for leaked system prompt content.
Uploaded documents for extraction are validated by file type (PDF, PNG, JPG, HEIC only) and size (12 MB limit for extraction, 25 MB for storage). Documents are stored with bucket-level RLS, accessed only via signed URLs with 1-hour expiry, and automatically deleted after 30 days.
Every critical action in Policy Stack is logged to an immutable audit trail: authentication events, policy and loan changes, data exports, advisor access, AI queries, and administrative actions. Audit entries include user ID, action type, resource affected, IP address, and timestamp.
Audit logs are retained for one year. You can request a full export of your household's audit trail at any time.
All API inputs are validated using strict schemas before any database operation. We use parameterized queries exclusively — no raw SQL string construction. Mutation endpoints verify request origin to prevent cross-site request forgery.
Security headers enforced on every response include: Strict-Transport-Security with HSTS preload, Content-Security-Policy restricting script and connection sources, X-Frame-Options DENY, X-Content-Type-Options nosniff, and a strict Referrer-Policy.
All payment processing is handled by Stripe. Policy Stack never sees, stores, or transmits your credit card number. Stripe is PCI DSS Level 1 certified — the highest level of payment security certification.
Stripe webhook signatures are cryptographically verified on every incoming event. We never trust request bodies directly — only data from verified webhook payloads.
Policy Stack runs on Vercel (edge network with built-in DDoS protection and WAF) backed by Supabase for database and authentication, with AI features routed through OpenRouter. Supabase holds SOC 2 Type II certification, with encrypted daily backups and point-in-time recovery.
We do not run our own servers. We deliberately rely on infrastructure providers whose primary job is keeping systems secure. Dependencies are audited on every build and automatically updated for security patches.
You can export all of your data at any time — policies, snapshots, loans, deployments, and audit logs — as a JSON and CSV bundle via Settings. You can also delete your account entirely. Account deletion cancels your subscription, revokes all advisor links, and schedules permanent removal of all data after a 30-day recovery window.
We maintain a documented incident response playbook covering detection, containment, assessment, notification, and remediation. In the event of a security incident affecting your data, we commit to notifying affected users within 72 hours with clear information about what happened, what data was involved, and what steps to take.
If you discover a security vulnerability in Policy Stack, we want to know. Please reach out to security@policystack.co with details. We take all reports seriously and commit to responding within 48 hours.
We ask that you give us reasonable time to investigate and address the issue before any public disclosure.
If you have questions about how Policy Stack handles your data, contact us at team@policystack.co.