DLTD
DRAFT — pending attorney review. Effective version available on request via security@dltd.app.
SECURITYSIG Lite (pre-filled)

Security Questionnaire (SIG Lite)

Last updated: 2026-06-01

Vendor: DLTD, Inc. · Product: DLTD Business

This document is DLTD’s pre-filled response to the Shared Assessments Standardized Information Gathering (SIG) Lite questionnaire, intended to streamline vendor risk reviews for prospective Business customers. Answers reflect the production posture of the DLTD platform as of the date above. For any item flagged “Customer-specific” or for a full SIG Core response, contact security@dltd.app.

Q1Risk Assessment & Governance

Does the organization have a documented enterprise risk management and information security governance program?

Yes (in progress). DLTD operates an information security program led by the CEO with engineering ownership of day-to-day controls. A risk register is maintained covering data, infrastructure, third-party, and regulatory risk. Formalized policy ownership, quarterly review cadence, and a designated Security Officer role are being put in place as part of the SOC 2 Type II readiness work targeted for Q4 2026.
Q2Security Policy

Has the organization published an information security policy, and is it reviewed at least annually?

Yes. DLTD maintains an Information Security Policy, an Acceptable Use Policy for personnel, an Incident Response Plan, and a Data Classification & Handling Standard. Policies are reviewed at least annually by the CEO and the engineering lead, and on any material change. Customer-facing summaries are published at dltd.app/privacy, dltd.app/terms, and dltd.app/business/dpa.
Q3Organizational Security

Is there a defined organizational structure for information security with clear roles and responsibilities?

Yes. Executive accountability rests with the CEO. Day-to-day operational security is owned by the engineering lead, who approves production access, reviews dependency vulnerabilities, and manages incident response. The bug-bounty and responsible-disclosure intake is handled at security@dltd.app.
Q4Organizational Security

Are security responsibilities, controls, and procedures communicated to relevant personnel?

Yes. All personnel receive onboarding security and privacy training and are subject to a written confidentiality agreement. All personnel with production access receive annual refresher training covering data handling, secrets management, secure development, and incident response.
Q5Asset Management & Data Classification

Does the organization classify data based on sensitivity and apply appropriate handling controls?

Yes. DLTD uses a three-tier classification: Public (marketing content, published policies), Internal (operational metrics, source code), and Confidential / Personal Data (customer account data, OAuth tokens, broker scan results, AI audit findings, inbox audit findings, child profile fields). Confidential data is encrypted at rest and in transit, gated by PostgreSQL Row-Level Security, and accessible to a defined set of personnel on a need-to-know basis.
Q6HR Security / Background Checks

Are background checks performed on personnel with access to confidential customer data, where permitted by law?

Partial. All personnel are bound by written confidentiality agreements as a condition of engagement. Formal background-check procedures (criminal records, prior-employment verification, reference checks) are scoped for rollout in 2026 as part of SOC 2 Type II readiness. On termination, access to production systems is revoked same-day under a documented offboarding checklist.
Q7Physical & Environmental Security

Are physical access controls in place to protect facilities housing systems that process customer data?

Inherited from cloud providers. DLTD does not operate its own data centers. All production systems run on managed cloud infrastructure provided by Supabase (which runs on Amazon Web Services) and Vercel (which runs on Amazon Web Services and Cloudflare). Physical access controls for these facilities are inherited from the underlying providers’ SOC 2 and ISO 27001 attestations.
Q8Physical & Environmental Security

Are environmental controls (fire suppression, climate control, power redundancy) in place at processing facilities?

Inherited from cloud providers. See Q7. Environmental controls are managed by AWS and Cloudflare and are covered by their published compliance reports, which are available on request to assist with Customer’s due diligence.
Q9Communications & Operations — Encryption

Is customer data encrypted at rest and in transit using industry-standard algorithms?

Yes.
  • In transit: TLS 1.2 or higher on all customer-facing endpoints, with HSTS enforced.
  • At rest: AES-256 at the database storage layer (Supabase / AWS managed encryption). Sensitive fields including Google OAuth access and refresh tokens, and child-profile identifiers, are additionally encrypted at the application layer using Supabase Vault with per-user keys.
  • Key management: Encryption keys are managed by AWS KMS via Supabase. Keys are never co-resident with the data they protect.
Q10Communications & Operations — Backups

Are backups of customer data performed, encrypted, and tested?

Yes. Postgres point-in-time recovery is enabled with a rolling seven (7)-day window via the managed Supabase service. Periodic encrypted snapshots are retained for thirty (30) days. Backups are encrypted at rest using the same AES-256 controls as production data. Restore exercises are performed at least annually.
Q11Communications & Operations — Malware

Are anti-malware, intrusion-detection, and vulnerability-monitoring controls in place across the production environment?

Yes. DLTD relies on the managed Supabase and Vercel platforms for host-level intrusion detection and anti-malware controls. Application-layer protections include Cloudflare-style WAF rules at Vercel’s edge, automated dependency-vulnerability scanning on every push, and anomaly monitoring on database query patterns.
Q12Access Control

Are authentication and authorization controls in place, including password requirements and multi-factor authentication?

Yes.
  • End-user authentication: provided by Supabase Auth. Passwords are hashed and salted using bcrypt. OAuth single sign-on is supported. MFA is available to all Business tier users and can be enforced organization-wide by the Customer administrator.
  • Authorization: every customer-data table enforces PostgreSQL Row-Level Security keyed to the authenticated user’s identity. Users can read only rows they own. Business administrators have additional scoped access to seats on their organization only.
  • Personnel authentication: all DLTD personnel access to production systems requires MFA. Access is granted on a need-to-know basis and revoked same-day on offboarding.
Q13Information Systems Acquisition & Secure Development

Does the organization follow a secure software development lifecycle (SDLC)?

Yes.
  • All code is managed in version control with mandatory code review prior to merge to production branches.
  • Automated dependency-vulnerability scanning and static analysis run on every push.
  • Secrets are managed exclusively through Vercel and Supabase secret stores; no secrets are checked into source control. Secret scanners run on every commit.
  • Production deploys go through a CI/CD pipeline; ad-hoc production changes are not permitted.
  • Security-relevant changes (auth, encryption, RLS policies) require review by the engineering lead before merge.
Q14Incident Management

Is there a documented incident response plan, and are personal-data breaches communicated to customers in a timely manner?

Yes. DLTD maintains an Incident Response Plan covering detection, triage, containment, eradication, recovery, and post- incident review. The Plan defines on-call ownership, severity classification, and customer-notification thresholds. Confirmed Personal Data Breaches affecting Customer Personal Data are communicated to the Customer’s designated security contact without undue delay, and in any event within seventy-two (72) hours of DLTD becoming aware, in accordance with Section 9 of the DLTD Data Processing Addendum at dltd.app/business/dpa.
Q15Business Continuity / Disaster Recovery

Is there a business continuity and disaster recovery plan, and are recovery objectives defined and tested?

Yes (in maturation). The Services run on geographically redundant cloud infrastructure (Vercel, Supabase) supporting recovery from regional outages without manual failover. Recovery objectives:
  • RTO (recovery time objective): four (4) hours for full-region failure.
  • RPO (recovery point objective): fifteen (15) minutes, backed by Postgres point-in-time recovery.
Documented DR runbooks and annual tabletop exercises are part of the SOC 2 Type II workstream.
Q16Compliance & Audit

Has the organization obtained third-party security and privacy attestations (SOC 2, ISO 27001, HIPAA, etc.)?

Status by framework:
  • SOC 2 Type II: In progress, targeting completion in Q4 2026. SOC 2 Type I is the prior step and is being completed in advance.
  • GDPR: Aligned to GDPR Article 28 processor obligations. A standard Data Processing Addendum incorporating Module Two of the EU Standard Contractual Clauses for international transfers is available at dltd.app/business/dpa.
  • CCPA / CPRA: Compliant. DLTD also acts as Authorized Agent under California Civil Code § 1798.135 for end-user opt-out-of-sale and deletion requests submitted to data brokers via the Services.
  • HIPAA: DLTD does not currently sign Business Associate Agreements (BAAs). The Services are not intended for the processing of Protected Health Information.
  • ISO 27001: Not currently certified.
  • PCI DSS: DLTD does not store or transmit cardholder data. All payment card processing is performed by Stripe, which is PCI DSS Level 1 certified.
Q17Privacy / Data Protection

Is there a published privacy policy, and is there a process for handling data-subject rights requests?

Yes. The DLTD Privacy Policy is published at dltd.app/privacy. DLTD does not sell, share, or monetize personal data and does not use customer data to train any AI model. DLTD assists Customers with Data Subject Access Requests (DSARs) and analogous CCPA requests under Section 8 of the DPA. Direct requests received by DLTD from end users are forwarded to the Customer for response. Privacy contact: privacy@dltd.app.
Q18Privacy / Data Protection

Where is customer personal data stored, and what cross-border transfer mechanisms are in place?

Storage location. All Customer Personal Data is stored in the United States by default, in Supabase’s US-region managed Postgres infrastructure. Application hosting is on Vercel’s global edge network with origin compute in the United States.

Cross-border mechanisms. For Customer Personal Data subject to the GDPR, UK GDPR, or Swiss FADP, DLTD relies on the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914, Module Two — Controller-to-Processor) and, where applicable, the UK International Data Transfer Addendum, both incorporated by reference into the DLTD DPA at dltd.app/business/dpa.

Q19Third-Party Risk Management

Does the organization perform due diligence on sub-processors and other third parties with access to customer data?

Yes. DLTD maintains a vendor inventory covering all sub-processors with access to Customer Personal Data. Each sub-processor is selected based on documented security and privacy controls (SOC 2 reports, GDPR DPA, transfer mechanisms). Each sub-processor is bound by data protection terms no less protective than those in DLTD’s DPA. Material changes to the sub-processor list are notified to Customers at least thirty (30) days in advance per Section 7.3 of the DPA. Current list is maintained at dltd.app/business/dpa (Annex B).
Q20Vendor Security

What sub-processors does DLTD use to deliver the Services, and what is each one responsible for?

VendorPurposeLocation
SupabaseManaged Postgres, auth, edge functions — primary store of Customer Personal DataUS
VercelNext.js web hosting and edge networkingUS
StripeWeb and Business subscription billing; PCI DSS Level 1US
ResendTransactional email deliveryUS / EU
Google APIsGmail metadata API for Inbox Audit (headers and labels only)US
Anthropic APILLM for optional summarization in the Business admin dashboard; not used for trainingUS
RevenueCatiOS subscription entitlement management for App Store billing flowsUS

DLTD does not currently use any analytics, advertising, or session- replay vendors that would expose Customer Personal Data. Product analytics is collected via a self-hosted PostHog instance.

Q21Cloud-Specific

What cloud-deployment model is used, and what tenancy / data-isolation controls are in place?

Deployment model. Multi-tenant SaaS, hosted on public cloud infrastructure (Vercel, Supabase — both running on AWS).

Tenancy and isolation. Logical tenancy. All customer rows live in shared Postgres tables and are isolated by PostgreSQL Row-Level Security policies keyed to the authenticated user’s identity. Business administrators are additionally scoped to seats assigned to their organization.

Customer-managed encryption keys (BYOK): not currently offered. AES-256 encryption at rest uses provider-managed keys (AWS KMS via Supabase). Application-layer Vault encryption uses per-user keys for highly sensitive fields.

Data residency. US by default. Region-pinned EU storage is on the 2026 roadmap and is not yet available; if EU residency is a hard requirement, contact security@dltd.app.

Customer offboarding. On termination, Customer Personal Data is returned or deleted per Section 12 of the DPA, with backup purge within thirty (30) days.

Customer-Specific Items

The following items depend on Customer configuration or scope and are not pre-fillable. Contact security@dltd.app to confirm:

  • Customer-specific SLAs (uptime guarantees, support response times) — included in the Master Services Agreement when negotiated.
  • Custom data-residency or tenancy commitments beyond the defaults in Q21.
  • Customer-specific log retention or export commitments beyond the DLTD standard.
  • BAA execution for HIPAA-covered Customers (not currently supported; see Q16).
  • Customer-supplied penetration test or independent audit beyond the rights in Section 10 of the DPA.

Contact

Security questionnaire follow-ups, due diligence requests, and BAA inquiries: security@dltd.app. Privacy and DSAR coordination: privacy@dltd.app. Acknowledgement within two (2) business days.