Trust Center

Security & compliance, plainly stated

Stivara is early-stage software. This page tells you exactly what is true about our security posture today, and what is still on the roadmap — no certifications we don't hold, no guarantees we can't back up.

Last updated 9 July 2026

Live today

What's actually implemented in the product right now.

live

Encryption in transit & at rest

All connections use TLS. Data at rest is encrypted by our infrastructure providers (Supabase/Postgres, Vercel).

live

Tenant isolation

Every table is protected by Postgres Row Level Security scoped to your organization — one tenant can never query another’s rows.

live

Private document storage

Uploaded documents live in a private storage bucket. Access is granted only to authenticated members of your organization.

live

Role-based accounts

Every user has an explicit role (super admin, practice staff, client admin, client user) that scopes what they can see and do.

On the roadmap

Not built yet — flagged here so you can plan around it, not discover it the hard way.

planned

Per-company access control

Today, any member of your organization can see all companies in it. Fine-grained per-company staff permissions are on the roadmap.

planned

Full audit trail

A record of who viewed, edited, or downloaded what, and when, is planned but not yet implemented.

planned

SOC 2 Type II

Not yet started. We are not precluding this architecturally, but no certification exists today — don’t take this page as a claim otherwise.

planned

ISO 27001

Same as above: on the long-term roadmap once we have paying enterprise clients, not certified today.

Data privacy by jurisdiction

Stivara currently supports Singapore, Malaysia, the Philippines, and South Korea. Regulatory posture for each is still maturing — treat this as status, not a compliance certification.

JurisdictionFrameworkStatus
SingaporePDPAData handling commitments for SG-incorporated client companies are being built into the platform; cross-border transfer rules are still being confirmed.
MalaysiaPDPASame status as Singapore — architecture supports jurisdiction-scoped data, specific residency guarantees are not yet finalized.
PhilippinesData Privacy Act (NPC)Same status — not yet a finalized, audited commitment.
South KoreaPIPALightest-touch jurisdiction in our current build; residency and processing terms are still being worked out.

AI & your data

The AI Assistant only sends data to a model provider when you actively ask it a question or upload a document for indexing — nothing is scanned or sent in the background.

SubprocessorPurpose
SupabasePrimary database (Postgres), authentication, and file storage
VercelApplication hosting and compute
Google GeminiAI model provider for the AI Company Secretary chat, document Q&A, and search embeddings

Formal data processing agreements with each subprocessor are not yet in place — this is tracked as part of the security roadmap above.

Have a security question?

Email director@iamstivai.com and we'll get you a straight answer.