SwitchboardSign In

Security

Switchboard is built to handle sensitive M&A diligence materials. This page describes the controls we have in place to protect your data.

BROWSERAPPLICATIONINFRASTRUCTUREUserBrowserVercelSOC 2 Type IINext.js app serverEdge CDN · SSRTLS in transitHTTP-only session cookiesService key never leaves serverSupabaseSOC 2 Type IIPostgres + RLS · Auth · File storageAES-256 at rest · TLS in transitSentryError monitoring · Stack tracesNo user content in error reportsResendTransactional email · Invites · NotificationsHTTPSserver-side onlyerrorsemail dispatch

Infrastructure

Switchboard is hosted on Vercel and powered by Supabase for database, authentication, and file storage. Both providers maintain SOC 2 Type II certification and operate on hardened cloud infrastructure. We do not run or manage our own servers.

Encryption

All data is encrypted in transit over TLS. Data at rest — including deal content, uploaded documents, and user records — is encrypted by Supabase using AES-256. Document files are stored in an isolated storage bucket and are never accessible via direct URLs; all access requires a short-lived signed URL generated server-side.

Authentication

Users authenticate via email magic link or password. Multi-factor authentication (MFA) is available to all users and can be enforced by deal administrators. Sessions are managed server-side using secure, HTTP-only cookies and are automatically refreshed.

Invitations are single-use, time-limited links delivered by email. Accepting an invitation requires the recipient to be authenticated, preventing link-forwarding abuse.

Access Control

Access is enforced at multiple layers:

  • Role-based access — every user has an explicit role (project lead, workstream lead, SME, or target). Roles determine what actions are available across the platform.
  • Per-subject-matter access — write access is scoped to assigned subject matters. Users may have read-only visibility into subject matters outside their assignments depending on their role, but cannot modify content they have not been granted explicit write access to.
  • Row-level security (RLS) — access rules are enforced directly in the database using Postgres RLS policies. Application-layer bugs cannot grant access to data a user is not permitted to see.
  • Server-side privilege escalation — operations requiring elevated permissions (sending invites, publishing sections, writing activity logs) use a server-only service role key that is never exposed to the browser.
  • Administrative access — access to infrastructure administration consoles (database, hosting, monitoring) is restricted to a small number of senior personnel. A defined escalation path governs when and how that access is exercised.

Document Security

Uploaded documents are stored in a private, deal-scoped storage bucket. Access requires an authenticated session and an active deal membership. Signed URLs expire after a short window and are generated on demand — there are no persistent public links to any document.

Monitoring

Application errors and exceptions are captured in real time using Sentry. All mutating server actions log errors for audit purposes. Vercel provides request-level logging and infrastructure monitoring.

Reporting a Security Issue

If you discover a potential security vulnerability, please report it to us directly at support@switchboarddeals.com. We will respond promptly and work with you to address the issue.