Security built for
your most sensitive work.

Multi-Factor Authentication (TOTP)

Time-based one-time passwords (TOTP) are supported for all accounts and can be enforced at the workspace level. When enabled, users are prompted for a verification code at every sign-in session. Compatible with any RFC 6238 authenticator app.

MFA Recovery Codes

Eight single-use recovery codes are generated at MFA enrolment and stored as bcrypt hashes. Codes can be regenerated by the account owner at any time.

Account Lockout

The login endpoint locks an account after 10 consecutive failed attempts within a 15-minute window, regardless of source IP. The lock expires automatically and is cleared on successful login.

Login Rate Limiting

A dedicated rate limiter applies to the login and password-reset endpoints — stricter than the general API limit. Returns 429 with RFC 6585 RateLimit headers. IP-based: 10 requests per 15-minute window.

User Enumeration Prevention

Login and password-reset endpoints return identical generic responses for unknown emails and wrong passwords. An attacker cannot determine whether an email address is registered on the platform.

Secure Password Reset

Password reset tokens are cryptographically random (32 bytes), stored hashed, expire after 1 hour, and are single-use. The reset flow does not disclose whether an email exists.

Session Management

Sessions are signed JWT tokens stored in HttpOnly, Secure, SameSite=Strict cookies. Logout invalidates the session server-side and clears the cookie.

Encryption in Transit (TLS 1.2+)

All traffic is served over HTTPS with HSTS enforced (max-age 31,536,000 s, includeSubDomains). Strict-Transport-Security headers are set in production.

Encryption at Rest

Database and file storage encryption at rest is provided by the Manus platform infrastructure (TiDB Cloud + S3-compatible object storage), certified under SOC 2 Type II and ISO 27001:2022.

Via Manus platform — see trust.manus.im

Workspace Isolation (Multi-Tenancy)

Every query is scoped to a workspace_id. Cross-workspace data access is structurally prevented at the database query layer — no client can read another client's assessments, research, or documents.

File Storage (S3-Compatible)

Research files and documents are stored in S3-compatible object storage with non-enumerable, randomised keys. File metadata is stored in the database; bytes are never written to database columns.

Security Headers (Helmet + CSP)

Full Helmet.js configuration in production: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Role-Based Access Control (Admin / User)

Platform roles are enforced via an adminProcedure middleware on all administrative tRPC procedures. Non-admin users cannot invoke admin operations regardless of client-side state.

Workspace Membership Checks

Access to any workspace resource requires verified membership. Invitation-only onboarding ensures no unauthorised workspace access.

Workspace MFA Enforcement Gate

Workspace administrators can require MFA for all members. Users without MFA enrolled are blocked from accessing the workspace until they complete enrolment.

Protected API Procedures

All tRPC procedures are explicitly typed as publicProcedure, protectedProcedure, or adminProcedure. There are no unauthenticated routes to authenticated resources.

Input Validation (Zod)

All tRPC procedure inputs are validated with Zod schemas before any business logic executes. Invalid inputs are rejected with typed errors.

SSRF Prevention

Server-side URL fetching validates hostnames against an allowlist and a private-IP blocklist (RFC-1918, loopback, link-local, CGNAT). Bare-IP URLs are rejected.

Request Body Size Limits

JSON request bodies are capped at 1 MB. File upload endpoints enforce a 16 MB limit with MIME-type validation.

Dependency Vulnerability Management

Automated weekly dependency scanning via Dependabot. Production dependency tree is maintained at zero critical and zero high vulnerabilities.

Privacy Policy

A full privacy policy is published at /privacy-policy, covering data categories, legal bases, retention periods, and data subject rights.

Right to Erasure (GDPR Art. 17)

Workspace deletion cascades across all related tables (assessments, research, documents, members, notes, funding matches). Company records are deleted if no remaining workspaces exist.

Data Processing Agreement (DPA)

A Data Processing Agreement is available for enterprise clients. Contact us to request a DPA.

Available on request

Data Portability (GDPR Art. 20)

Workspace administrators can request a full structured export of their workspace data — assessments, research files, document metadata, team members, funding matches, and notes — packaged as a ZIP archive and delivered via a secure, time-limited download link.

Available via workspace settings — contact us to request

Data Backup & Retention

Database backups are managed by the Manus platform infrastructure under its SOC 2 Type II programme. Backup schedules, retention periods, and recovery procedures are governed by the Manus platform SLA.

Via Manus platform SLA — see trust.manus.im

Workspace-Scoped File Access

Every uploaded file is associated with a workspace_id at the database layer. File metadata and download URLs are only returned to users who are verified members of that workspace. No other user or organisation on the platform can access your files — this is enforced at the query layer, not just the UI layer.

Non-Enumerable Storage Keys

Files are stored in S3-compatible object storage with randomised, non-guessable keys (e.g. `{userId}-files/{filename}-{randomSuffix}.pdf`). There is no sequential ID or predictable pattern that would allow an attacker to enumerate or guess file URLs.

No AI Training on Client Files

Documents uploaded to the DD Room — including pitch decks, financial documents, and research reports — are never used to train AI models. They are used only to generate responses for the requesting user within their workspace session.

File Bytes Never Stored in Database

File content is never written to database columns. Only metadata (filename, S3 key, upload timestamp, file size) is stored in the database. The actual bytes live exclusively in encrypted S3-compatible object storage.

Upload Size & Type Validation

File uploads are validated server-side: pitch decks and documents are capped at 16 MB with MIME-type validation. Malformed or unexpected file types are rejected before any processing occurs.

Deletion Cascade on Workspace Removal

When a workspace is deleted, all associated file metadata is removed from the database. S3 object deletion is triggered as part of the cascade. Files do not persist after a workspace is deleted.

Security Event Logging

The following events are logged with user context, IP address, and timestamp: LOGIN, LOGIN_FAILED, ACCOUNT_LOCKED, LOGOUT, MFA_ENABLED, MFA_DISABLED, MFA_CHALLENGE, MFA_RECOVERY_USED, DEACTIVATE, REACTIVATE.

Admin Audit Log

All administrative CRUD operations are recorded in an immutable audit log. The log includes the actor, action, affected record, and IP address.

System Health Monitoring

A system health dashboard is available to platform administrators, showing database connectivity, service uptime, and recent error rates.

Incident Response

The platform operates under the Manus platform SOC 2 Type II incident response programme. Security issues can be reported directly to the Holocen Tech team.

Via Manus platform SOC 2 Type II programme

Automated Database Backups

Structured client data (assessments, workspaces, team members, funding matches, notes) is stored in TiDB Cloud, which performs automated daily backups with a 30-day retention window. Point-in-time recovery is available within the retention period. Backup operations are covered under the Manus platform SOC 2 Type II availability controls.

Via Manus platform (TiDB Cloud) — see trust.manus.im

File Storage Redundancy

Uploaded files (pitch decks, research reports, documents) are stored in S3-compatible object storage with built-in geographic redundancy. Storage durability is 99.999999999% (11 nines) as provided by the underlying object storage infrastructure.

Via Manus platform (S3-compatible object storage)

Application Version History & Code Recovery

Every application deployment is versioned and checkpointed. In the event of an application-layer incident, the platform can be rolled back to any previous checkpoint within minutes. Version history is retained indefinitely. The full application source code is independently mirrored to a private GitHub repository on every deployment, providing a secondary recovery path that is independent of the Manus platform infrastructure.

Manus deployment checkpoints + GitHub source code mirror

Recovery Point Objective (RPO)

RPO is 24 hours for structured database data, aligned with the daily automated backup cadence of the Manus platform infrastructure. In practice, TiDB Cloud point-in-time recovery can reduce data loss to minutes within the retention window.

Governed by Manus platform SLA

Recovery Time Objective (RTO)

RTO for application-layer incidents is 2–4 hours: the time required to redeploy from a verified checkpoint, confirm database connectivity, and validate data integrity. Infrastructure-layer recovery (database, storage) is governed by the Manus platform SLA and typically resolves within 4 hours for non-catastrophic incidents.

Application layer: 2–4 hours. Infrastructure layer: per Manus platform SLA

Recovery Responsibility

Infrastructure-layer recovery (database restoration, storage availability) is the responsibility of the Manus platform team under their SOC 2 Type II programme. Application-layer recovery (redeployment, configuration restoration) is the responsibility of Holocen Tech. Clients are notified of any incident affecting data availability within 72 hours in accordance with GDPR Article 33.

SOC 2 Type II

The hosting platform holds a current SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.

Via Manus platform — see trust.manus.im

ISO 27001:2022 — Information Security Management

The platform is certified against ISO 27001:2022, the international standard for information security management systems.

Via Manus platform — see trust.manus.im

ISO 27701:2019 — Privacy Information Management

ISO 27701 extends ISO 27001 with privacy information management requirements, demonstrating commitment to GDPR-aligned data handling.

Via Manus platform — see trust.manus.im

Multi-Cloud Redundancy

Infrastructure is distributed across AWS, GCP, and Azure, providing geographic and provider redundancy with built-in DDoS protection.

Via Manus platform

99.9% Uptime SLA

The Manus platform commits to a 99.9% monthly uptime SLA for production services. Planned maintenance windows are communicated in advance.

Via Manus platform

Supply Chain Security

Application dependencies are scanned weekly via Dependabot with zero critical or high vulnerabilities in the production dependency tree. The Manus platform infrastructure undergoes independent security assessments; details are published at the Manus Trust Centre.

Dependabot weekly scans + Manus platform security programme — see trust.manus.im

Employee Background Checks

All platform-level staff undergo background checks as part of the Manus platform's SOC 2 Type II personnel security controls. Holocen Tech team members with access to client workspaces are subject to confidentiality obligations.

Via Manus platform SOC 2 Type II programme

Confidentiality Agreements

All staff and contractors with access to client data are bound by confidentiality agreements. Platform-level personnel are covered under the Manus platform's SOC 2 Type II confidentiality controls.

Via Manus platform SOC 2 Type II programme

Manus AI — Platform Infrastructure

Manus AI provides the hosting infrastructure, authentication, database (TiDB Cloud), file storage (S3-compatible), and LLM inference layer. All structured client data (assessments, workspaces, research, documents) and uploaded files are stored on Manus infrastructure. LLM prompts containing company research content are processed via the Manus Forge API. Manus holds SOC 2 Type II, ISO 27001:2022, and ISO 27701:2019 certifications. Full details at trust.manus.im.

Data category: all platform data · Location: US · Legal basis: SCCs + SOC 2 Type II · See trust.manus.im

Resend — Transactional Email

Resend is used exclusively to deliver transactional emails: password reset links and user invitation emails. The only personal data transmitted to Resend is the recipient's email address. Resend is used in send-only mode — no read access to email logs or contact lists is granted. No client workspace data, assessment content, or business-sensitive information is transmitted.

Data category: email address only · Location: US · Legal basis: SCCs · resend.com

BrightData — LinkedIn Research Enrichment

BrightData is used to retrieve publicly available LinkedIn company page data as part of the research enrichment workflow for client companies. Only the company name and public LinkedIn URL are transmitted — no personal data relating to individuals is sent. This service is used exclusively by Holocen Tech staff during the research phase; it is not triggered by client actions.

Data category: company name and public LinkedIn URL only · Location: US · Legal basis: SCCs · brightdata.com

Perplexity AI — Deep Research

Perplexity AI is used to conduct automated deep research queries on companies and markets as part of the readiness assessment workflow. Research prompts contain company names and publicly available information. No personal data relating to individuals and no confidential client documents are transmitted to Perplexity. This service is used exclusively by Holocen Tech staff during the research phase.

Data category: company names and public market information · Location: US · Legal basis: SCCs · perplexity.ai