PocketFund
Log inGet started
Legal

Security

Effective May 7, 2026 · Last updated May 7, 2026

We take the security of founder and investor data seriously. This page describes the practices we've actually implemented today — not the certifications we hope to earn later.

What we do, in plain English

HTTPS everywhere

TLS 1.3 + HSTS on every page. HTTP is auto-redirected to HTTPS. Certificates issued automatically by Let's Encrypt via Vercel.

Encryption at rest

Postgres databases (Supabase) and object storage are encrypted at rest by default by our infrastructure providers.

Row-level security

Every database table is gated by RLS policies — your data is only readable by your account, the counterparty in a deal, or a granted reviewer.

NDA-gated data rooms

Founder data rooms require investor NDA acceptance before access. Every view is logged + timestamped. Founders revoke access with one click.

Audit log

Sensitive actions (NDA signings, data-room file views, bid placements) are recorded in an append-only audit log.

MFA available

Two-factor authentication available on every account. We strongly recommend enabling it on the first login.

Responsible disclosure

Found a vulnerability? Email security@. We acknowledge within 72 hours and credit responsible reports.

Honest about what we don't have

No fake SOC 2 / ISO 27001 / HIPAA stamps. We'll publish those badges when (and only when) the audits actually complete.

Standards we follow

Honest about where we are.

  • GDPR best practices — EU/UK data-subject rights honoured (access, deletion, portability)
  • DPDP Act 2023 (India) — purpose-limited processing, consent-based collection, breach notification
  • Data minimisation — we collect only what we need to match founders + investors
  • Retention limits — account data: until you delete · Tax / financial records: 7 years (legal requirement)

No certification claims. PocketFund is a young company. We're committed to following GDPR + DPDP best practices but are not yet SOC 2 / ISO 27001 audited. As we grow we'll pursue formal certifications and update this page when each completes — not before.

Found a vulnerability? Tell us.

We run a responsible-disclosure program. Email security@pocketfund.in with details of the issue, steps to reproduce, and your PGP key (if any). We'll acknowledge within 24 hours, triage within 72 hours, and credit you in our hall of fame on resolution.