TRUST CENTER

Our security posture, in public.

Privacy products that hide their own security posture have a credibility problem. Here’s ours, openly.

Compliance & certifications

SOC 2 Type IIIn progress

Targeting Q4 2026. Engaged Vanta for continuous monitoring + audit prep. Type I report available on request under NDA.

GDPR Article 28 (Processor)Compliant

DPA template publicly available. SCCs Module 2 (Controller-to-Processor) incorporated for EU transfers.

CCPA Authorized Agent (§1798.135)Compliant

DLTD files removal requests on behalf of users under a signed LOA. Multi-jurisdiction LOA covers CA + 9 other US states + EU + UK + Canada + Brazil.

HIPAA Business Associate AgreementNot offered

DLTD does not currently sign BAAs. Not a fit for entities subject to HIPAA who require BAAs for vendor data handling.

ISO 27001Not certified

Not yet pursued. Will be evaluated after SOC2 Type II completes.

Documents (downloadable, no sales call)

Data Processing Addendum (DPA)OPEN →

GDPR Art. 28 compliant draft, executable on request

Security Questionnaire — pre-filled SIG LiteOPEN →

Standardized vendor security questions answered in full

Sub-processor ListOPEN →

Current as of the date shown on the page

Privacy PolicyOPEN →

What we collect, what we never do, deletion path

Terms of ServiceOPEN →

Standard SaaS terms

Technical & organizational measures

Encryption at rest

AES-256 (Supabase full-disk encryption + per-database TDE)

Encryption in transit

TLS 1.2+ (TLS 1.3 preferred). HSTS enforced on dltd.app.

Authentication

Email + password (Argon2 hashed by Supabase Auth). OAuth (Google, Microsoft) coming. SSO via OIDC included in Business tier.

Access control

Row-Level Security (RLS) on every Postgres table. Service-role credentials limited to specific edge functions and audited.

Audit logging

Every privileged action (LOA signing, broker dispatch, OAuth grant, account deletion) logged to immutable audit tables. Exportable to Business customers.

Backups

Continuous WAL + point-in-time recovery (Supabase managed). 30-day retention; user-deleted data purged within 30 days.

Vulnerability disclosure

security@dltd.app — open bug bounty from day one. Acknowledge within 24h, patch critical within 7d.

Sub-processor list

Public + dated

What we explicitly don't do

·We don’t sell, share, or monetize your data.
·We don’t use your data to train any AI model — ours or anyone else’s.
·We don’t read message bodies of inboxes you connect — only headers (From, Subject, Date, List-Unsubscribe).
·We don’t run third-party tracking SDKs in our app or extension.
·We don’t store images of minors on any server in any form.

Trust Center is maintained by hand. Last updated: 2026-06-04. Questions: security@dltd.app.