Security Policy
Last Updated: July 2026
1. Authentication
Sign-in is handled by Supabase Auth, a dedicated authentication provider - Capmatter never stores your password directly. Sessions are managed via secure, SameSite=Lax cookies scoped to our domain, enforced over HTTPS in production. One sign-in works across the Financial OS and Founder Circle without signing in again, since both share the same authentication provider and cookie domain.
2. Data isolation
Your data is protected by database-level row security policies, not just application-layer checks - every query, whether it comes from our own application code or a direct API call, is filtered by the database itself to only the rows you're authorized to see or modify. Cross-tenant access (one company or user reading or writing another's data) is enforced at this layer, not left to application code alone.
3. The share ledger - write-once, tamper-evident
The Financial OS's cap table is built on an append-only ledger: ownership records cannot be edited or deleted after the fact by any user, including company owners - only voided with a recorded reason, preserving the original entry. Sensitive correction operations (voiding a ledger entry or ESOP grant) run through privileged, server-side-only database functions that independently re-verify ownership on every call, so a compromised client or forged request cannot bypass authorization by calling the underlying operation directly.
4. Server-side enforcement
Every request that changes data is independently authenticated and authorized on our servers - client-side checks (hiding a button, redirecting a page) are a UX convenience only, never the actual security boundary. This applies uniformly to founder-facing features, billing, and administrative tools alike.
5. Input validation
Every write path validates its input on our servers, independent of whatever validation the browser already performed - request bodies are checked against strict schemas (type, format, length, and allowed-value checks) before anything is written, and rejected with a clear error otherwise. This protects against malformed, malicious, or unexpectedly large input arriving from any source, not just our own web app.
6. Rate limiting and abuse prevention
Write-heavy actions (posting, commenting, messaging, following, submitting forms) are rate-limited per account to limit the impact of automated abuse, credential-stuffing attempts, or a compromised account being used to spam other members.
7. Audit logging
Financial mutations (shareholder, funding round, ESOP, and share-class changes) and administrative actions (moderation, verification review, feature-flag changes) are recorded in an append-only audit trail - who did what, when, and what the record looked like before and after - independent of the data itself, so a change can always be traced back to who made it.
8. Encryption
- In transit: all traffic between your browser and Capmatter, and between our services and our database, is encrypted via HTTPS/TLS.
- At rest: data is stored with our infrastructure provider's standard at-rest encryption.
9. Verification and moderation
Access to Founder Circle requires a reviewed founder/investor/mentor/operator verification application - self-approval is not possible, and every review action (approve, reject, request changes) is performed and recorded by a real administrator through a server-enforced review workflow. Founder Circle also has active content moderation for community conduct issues, described in our Acceptable Use Policy.
10. Account export and deletion
Deleting your account requires re-entering your password and confirming via an emailed link before anything happens, and immediately restricts sign-in once confirmed, closing the window for someone else to use your still-active session during the grace period. See our Data Retention Policy for what happens to your data during and after this process.
11. Reporting a security issue
If you believe you've found a security vulnerability in Capmatter, please report it to us directly and privately rather than disclosing it publicly, so we can investigate and fix it before it's exploited. We ask that you avoid accessing, modifying, or deleting data that isn't your own while investigating.
Security contact: support@capmatter.com
Please include steps to reproduce, and, where relevant, the affected app (Marketing Website, Financial OS, or Founder Circle).