Security

The platform is in invite-only beta. Self-serve signup is disabled at the server (not just hidden in the UI), every application route requires an authenticated session enforced by middleware, and authentication endpoints are rate-limited per IP to dampen credential stuffing.

Every organization's data is isolated with Postgres row-level security (RLS). Policies fire on every read and write — isolation is enforced by the database itself, not by application code remembering to add a WHERE clause. A bug in our application layer cannot leak one customer's deals to another, because the database refuses the query.

We build on managed, audited providers rather than running our own servers: Supabase (Postgres hosting, authentication, row-level security), Vercel (application hosting and edge network, TLS everywhere), Stripe (payments — card data never touches our systems), and Sentry (error monitoring, with request payloads redacted on billing, webhook, and API routes).

Underwriting calculations run in your browser. Your scenario inputs are not round-tripped through third-party compute for the math — the calc engine executes locally and only the results you choose to save are written to your organization's workspace.

Security includes being honest about data quality. Every number the platform produces carries one of five provenance grades — verified, industry proxy, modeled, conflicted, or no data — and an immutable audit log records every deal change and simulator run. You can always trace what a figure is based on and who changed what, when.

Your deal data is yours. We do not use customer data to train AI models — ours or anyone else's — and we do not sell or share it. Reference research content is built from public primary sources (HUD MAP Guide, IRC, agency selling guides), never from customer deals.

Found something? We want to know. Email justin@credealvision.com with details and we'll respond promptly. Please give us a reasonable window to remediate before public disclosure.