Core Growth AI
Get the Brief
Security & compliance posture

Engineeredforsecurity. Designed for due diligence.

Everything an advisor IT or procurement team needs to clear Core Growth AI through their vendor-risk process — SOC 2 status, encryption posture, US data residency, full subprocessor list, and a packet your CCO can route internally in one email.

Request the compliance packetCompliance Co-Pilot →For CCO + IT review · updated quarterly
Platform security

Six controls every CCO procurement form asks about.

We surface the status honestly — including what's done, what's in progress, and what's on the audit roadmap. Generic claims fail procurement; specificity earns approvals.

SOC 2 Type II

Pre-audit · target window pending

Control framework selected, evidence collection underway. We don't publish a Type II claim until the report is in hand. Roadmap update + auditor name share-able under NDA.

Encryption

TLS 1.2+ in transit · AES-256 at rest

All API traffic terminates over TLS. Database storage is encrypted at rest by our cloud provider (managed Postgres + object storage). Secrets stored in a managed vault, never in source.

US data residency

Primary region: AWS us-east-1

Production database, object storage, and application servers run in US-only AWS regions via Supabase + Vercel. No data leaves the United States in normal operation.

Identity + access

Clerk-managed SSO · SAML + Okta + Entra

Customer authentication runs through Clerk. SSO available on Enterprise (SAML 2.0, Okta, Entra ID). Role-based access controls (RBAC) scoped to org_id at the row level.

Monitoring + incident response

Logging + alerting via [CONFIRM: vendor]

Application and infrastructure logs centralized for retention and alerting. On-call rotation with documented severity tiers and customer-notification SLA for any incident affecting confidentiality or availability.

Penetration testing

Annual third-party · first test scheduled

Independent third-party penetration testing committed to as part of SOC 2 program. First scheduled test window and remediation tracking will be shared in the compliance packet.

Subprocessors

Every third party that touches your data, named.

Public list with purpose and data scope. Customer-connected integrations (CRMs) are gated — they only see data once the customer grants OAuth access from inside the product.

VendorPurposeData scopeRegion
Amazon Web ServicesUnderlying cloud infrastructure (compute, storage)All operational dataUnited States
SupabaseManaged Postgres database + storage + auth backendLead records, dossiers, advisor metadata, audit logsUnited States
VercelApplication + marketing-site hosting + edge runtimeApplication code + static assets (no PII)United States
ClerkCustomer authentication + SSO (SAML, Okta, Entra)Advisor identity, session tokensUnited States
Anthropic (Claude)AI dossier generation + outreach draftingPublic-record context (names, titles, SEC-filing references)United States
ExaPublic news + biographical research enrichmentNames + companies for web-research queriesUnited States
ApolloB2B contact-information enrichmentNames + companies for contact lookupUnited States
ProspeoEmail-deliverability verificationEmail addresses for syntax + MX verificationUnited States
ResendTransactional email delivery (marketing-site + alerts)Customer email addresses + outbound message bodiesUnited States
WealthboxCustomer-gatedCustomer CRM integration — only when customer connects itCustomer's own CRM contacts (read + write, scoped via OAuth)United States
Salesforce Financial Services CloudCustomer-gatedCustomer CRM integration — only when customer connects itCustomer's own CRM contacts (read + write, scoped via OAuth)United States

List re-verified quarterly. Material changes are emailed to customer security contacts at least 30 days in advance.

Insurance & coverage

  • ·Tech E&O / Cyber liability · [CONFIRM: carrier · $X aggregate / $Y per claim]
  • ·General liability · [CONFIRM: carrier · limits]
  • ·Certificate of insurance available on request, shareable before contract execution.

Incident response

  • ·Documented severity tiers (P0–P3) with owner + escalation paths.
  • ·Customer-notification SLA for any incident affecting confidentiality, integrity, or availability of customer data.
  • ·Post-incident report shared with affected customers within 10 business days, including root cause + remediation.
  • ·Security contact: security@coregrowthai.com

Data-handling principles

All prospect data originates from public sources (SEC EDGAR, state DOL WARN portals, B2B contact APIs).
Customer CRM data stays inside the customer's CRM — read via OAuth, never persisted beyond the active sync.
Customer-data isolation by org_id row-level scoping in every query path.
Backups encrypted at rest, retained per data-retention policy in the compliance packet.
Data deletion on contract termination within 30 days, with attestation on request.
No training of foundation models on customer-uploaded data.
Compliance packet

One email. Everything your CCO needs.

Share a few details and we'll send a single PDF bundle your compliance or procurement lead can route internally without another round trip.

Inside the packet
  • ·Security overview (controls + roadmap)
  • ·SOC 2 status + auditor (NDA)
  • ·Due-diligence questionnaire (CAIQ-lite format)
  • ·Data-handling overview + retention policy
  • ·Subprocessor list with data-scope detail
  • ·Insurance certificate (E&O + cyber)
  • ·Regulatory-framework alignment (SEC Marketing Rule, GLBA)
  • ·Incident-response runbook summary

Or email security@coregrowthai.com directly.