W·A·I·T
DILIGENCE PASSPORT
Sign inGet started

Security & Privacy

How WAIT Investor Diligence Passport handles your data.

Data storage

Documents you upload are stored in Supabase Storage, hosted on AWS in the us-east-1 region. All files are encrypted at rest (AES-256) and in transit (TLS 1.3). Access is controlled by row-level security policies — your data is isolated to your organization and is never readable by other users or organizations.

Database rows (projects, claims, risks, scores) are stored in a Supabase PostgreSQL instance with the same encryption and row-level isolation. Your service-role credentials are never exposed to the browser.

OpenAI data usage

Document text is sent to OpenAI's API for claim extraction, evidence matching, and Q&A generation. We use OpenAI's enterprise API tier, which opts out of training data usage by default. OpenAI does not train models on data submitted via the API.

Before prompt calls, the application redacts common emails, SSNs, payment card-like numbers, bank account/routing numbers, and likely credentials from document snippets. This is a safeguard, not a guarantee that all sensitive content is removed.

Document text is uploaded to an OpenAI Vector Store (File Search) scoped to your individual audit run. Vector store identifiers are retained on the audit run so they can be deleted during project deletion and retention cleanup. OpenAI retains API inputs for up to 30 days for safety monitoring; see OpenAI's API data usage policy for the authoritative terms.

We still recommend redacting sensitive personal information from documents before upload if you have concerns about third-party data processing.

Third-party services

Data retention and deletion

Your documents, reports, and audit data are retained for 12 months from the date of the last audit run. After that period, files in Supabase Storage are deleted and database rows are anonymized.

Project settings include a deletion control that removes project records, stored files, reports, and best-effort OpenAI vector store artifacts. To request broader account deletion, email privacy@waittech.io. We will process deletion requests within 30 days.

Data sharing

We do not sell, rent, or share your documents, report data, or personal information with any third party for commercial purposes. Data is only shared with the sub-processors listed above for the purpose of delivering the service. We do not share data with investors, accelerators, or any other parties unless you explicitly instruct us to.

Access controls

All authenticated routes require a valid Supabase session token. Admin routes additionally require the admin role in user app metadata, which can only be set via the Supabase dashboard by WAIT-Tech staff. Supabase row-level security enforces organization-level isolation at the database layer, independent of application-level checks.

Legal disclaimer

Reports generated by WAIT Investor Diligence Passport are informational only. They do not constitute legal advice, financial advice, or investment recommendations. Findings should be reviewed by qualified legal and financial professionals before being relied upon for business or investment decisions. WAIT-Tech Inc. accepts no liability for decisions made based on report outputs.

Contact

Security issues, data requests, or compliance questions: security@waittech.io