Trust Center
Security & compliance, plainly stated
Stivara is early-stage software. This page tells you exactly what is true about our security posture today, and what is still on the roadmap — no certifications we don't hold, no guarantees we can't back up.
Last updated 9 July 2026
Live today
What's actually implemented in the product right now.
Encryption in transit & at rest
All connections use TLS. Data at rest is encrypted by our infrastructure providers (Supabase/Postgres, Vercel).
Tenant isolation
Every table is protected by Postgres Row Level Security scoped to your organization — one tenant can never query another’s rows.
Private document storage
Uploaded documents live in a private storage bucket. Access is granted only to authenticated members of your organization.
Role-based accounts
Every user has an explicit role (super admin, practice staff, client admin, client user) that scopes what they can see and do.
On the roadmap
Not built yet — flagged here so you can plan around it, not discover it the hard way.
Per-company access control
Today, any member of your organization can see all companies in it. Fine-grained per-company staff permissions are on the roadmap.
Full audit trail
A record of who viewed, edited, or downloaded what, and when, is planned but not yet implemented.
SOC 2 Type II
Not yet started. We are not precluding this architecturally, but no certification exists today — don’t take this page as a claim otherwise.
ISO 27001
Same as above: on the long-term roadmap once we have paying enterprise clients, not certified today.
Data privacy by jurisdiction
Stivara currently supports Singapore, Malaysia, the Philippines, and South Korea. Regulatory posture for each is still maturing — treat this as status, not a compliance certification.
| Jurisdiction | Framework | Status |
|---|---|---|
| Singapore | PDPA | Data handling commitments for SG-incorporated client companies are being built into the platform; cross-border transfer rules are still being confirmed. |
| Malaysia | PDPA | Same status as Singapore — architecture supports jurisdiction-scoped data, specific residency guarantees are not yet finalized. |
| Philippines | Data Privacy Act (NPC) | Same status — not yet a finalized, audited commitment. |
| South Korea | PIPA | Lightest-touch jurisdiction in our current build; residency and processing terms are still being worked out. |
AI & your data
The AI Assistant only sends data to a model provider when you actively ask it a question or upload a document for indexing — nothing is scanned or sent in the background.
| Subprocessor | Purpose |
|---|---|
| Supabase | Primary database (Postgres), authentication, and file storage |
| Vercel | Application hosting and compute |
| Google Gemini | AI model provider for the AI Company Secretary chat, document Q&A, and search embeddings |
Formal data processing agreements with each subprocessor are not yet in place — this is tracked as part of the security roadmap above.
Have a security question?
Email director@iamstivai.com and we'll get you a straight answer.