Security
Last updated: July 15, 2026
Readyloop is built for teams preparing AI compliance evidence. We take a practical security posture appropriate to an early SaaS product—honest about what we do and what we don't claim yet.
Access control
- Authentication via Clerk (hosted identity)
- Workspace data scoped by organization membership in Convex; mutations require an authenticated member with edit rights
- Auditor links are tokenized, expiring, and revocable
- API keys are stored as SHA-256 hashes; the raw key is shown once at creation and can be revoked anytime
Encryption & infrastructure
- TLS in transit for the site (Vercel) and Convex API
- Data at rest is stored in Convex's managed database and file storage (provider-managed encryption at rest)
- Hosting on Vercel; identity on Clerk; optional payments on Stripe
- We do not operate our own physical datacenters—security inherits from these subprocessors' controls
Evidence & integrity
- On attach we store a pointer fingerprint and attempt to archive a snapshot of the URL body (up to 2MB) with a SHA-256 body hash
- If the URL is behind auth or unreachable, snapshot may fail—you can upload a file snapshot manually
- Evidence older than 90 days is flagged stale on Overview; Refresh re-verifies and re-captures when possible
Backups, retention & deletion
- Convex provides managed durability/backups for the application database as part of their platform
- You can export workspace JSON anytime (export guide)—we recommend keeping your own compliance copy
- After an account deletion request, we delete or anonymize workspace data within 30 days (see Privacy), except where retention is required for security or legal reasons
- Revoking an auditor link immediately stops new access via that token; snapshot file URLs for captured evidence are bearer URLs—delete evidence to revoke file access
Access logging
We retain application-level ingest logs (event type, success/failure, timestamp) in the workspace for operators. We do not currently expose a full end-user audit trail UI; platform access logs live with Clerk / Convex / Vercel. Contact us if you need a specific access report for diligence.
Subprocessors
Clerk, Convex, Vercel, and Stripe (when billing is enabled). Optional SMTP provider for digests. Details in Privacy.
Report an issue
Email hello@getreadyloop.com with details. We aim to acknowledge security reports within 2 business days.