Security & Trust

Built for data you’re trusted to protect.

CorpSec AI handles your clients’ corporate records, beneficial-owner identities and statutory filings. Here is exactly how we keep that data resident in Singapore, isolated per firm, encrypted, and out of any AI training set — with the controls named so your procurement team can verify them.

Data hosted in SingaporeEncrypted in transit & at restImmutable audit trailNever used to train AI

At a glance

Data residencyHosted in Singapore (Vercel sin1) — in-region, close to ACRA.
Tenant isolationApp-layer firm scoping + Supabase RLS — two independent layers.
Audit trailAppend-only. Logs are never edited or deleted.
PII maskingNRIC & passport masked in the app and before AI sees them.
Access controlAdmin, reviewer, preparer and viewer roles.
AI trainingYour data is never used to train AI models. Full stop.

Data residency & encryption

Your data is hosted in Singapore and encrypted both in transit and at rest.

  • Application and API run in Vercel’s Singapore region (sin1) — data is processed in-region.
  • The database, authentication and file storage run on Supabase.
  • All network traffic is encrypted in transit with TLS.
  • Data at rest is encrypted at the platform level by Supabase and Vercel.
  • Documents are stored privately and accessed via short-lived signed URLs, not public links.

Multi-tenant isolation

Every firm’s data is isolated in two independent layers — a bug in one cannot expose another tenant.

  • Every query is explicitly scoped to your firm (csp_firm_id) in the application layer.
  • Even privileged service-role queries carry an explicit firm filter — they never rely on trust alone.
  • Supabase Row-Level Security (RLS) policies enforce the same boundary at the database.
  • The two layers are independent: defence in depth, so a single mistake does not leak data.

Immutable audit trail

Every meaningful action is logged to an append-only trail that can never be altered.

  • The audit log is INSERT-only — the system never updates or deletes an entry.
  • Document generation, KYC/AML screening, approvals and ACRA filings are all logged.
  • Each entry captures who did what, when — giving you a defensible compliance record.
  • Filed documents carry file anchors (content fingerprints) so a record can be tied to the exact file that was lodged.

PII masking

Identity numbers are masked in the interface and before any data reaches the AI.

  • NRIC and passport numbers are shown masked (for example S••••567A) throughout the app.
  • The full identity number is never sent to the AI model — only the masked form.
  • Masking is applied consistently in document previews, fields and AI context.

Access control & roles

Role-based access ensures the right people prepare, review and approve the right steps.

  • Admin — manages the firm, users and settings.
  • Reviewer — reviews and approves drafts before they are filed.
  • Preparer — drafts documents and runs workflows.
  • Viewer — read-only access for stakeholders who only need visibility.
  • Sensitive actions such as approvals and filings are gated to the appropriate role.

Second-AI review & human-in-the-loop

Every AI draft is checked by a second, independent AI pass — and a human signs off before anything is filed.

  • After a document is drafted, an independent second-AI review checks wording, statutory references, dates and completeness.
  • Compliance rules act as a hard gate — filings that would breach a rule are blocked, not silently sent.
  • Nothing is filed automatically: a human reviewer confirms and signs off every submission.
  • The AI does the work and shows its reasoning; you stay in control of the outcome.

Your data is never used to train AI models

We do not use your firm or client data to train, fine-tune or improve any AI model — ours or our providers’.

  • Data sent to the AI is used solely to complete the specific request you made.
  • Your data is never used for model training, fine-tuning or evaluation.
  • Identity numbers are masked before they reach the model, minimising what is ever transmitted.
  • This applies to all AI features: drafting, review and KYC/AML analysis.

Backups & recovery

Data durability is backed by our infrastructure provider’s managed backup and recovery.

  • The database benefits from Supabase’s managed daily backups.
  • Point-in-time recovery (PITR) is available on our infrastructure tier for fine-grained restore.
  • Recovery relies on platform-level guarantees from Supabase rather than ad-hoc scripts.

Data export & portability

Your data is yours. You can export it, and there is no lock-in on your records.

  • Company records, officers and documents can be exported from the platform.
  • Generated documents are produced as standard .docx files you can keep independently.
  • On offboarding we will return or delete your data in line with our DPA and your instructions.

Sub-processors

CorpSec AI relies on three infrastructure providers, each for a specific and limited purpose. We do not sell data, and no other party processes your data on our behalf.

Sub-processorPurposeRegion
VercelApplication & API hosting (compute, edge).Singapore (sin1)
SupabasePostgreSQL database, authentication and private file storage.Singapore / Asia-Pacific
Anthropic (Claude)AI model that drafts and independently reviews documents. Not used to train on your data.API-based; data not retained for training

Compliance mapping

CorpSec AI is designed to help Singapore CSPs meet their obligations. The controls above map to the frameworks that matter for corporate-secretarial work.

FrameworkHow CorpSec AI supports it
PDPA (Singapore)PII masking, purpose-limited processing, in-region hosting, role-based access, export and deletion support, and a template DPA covering data-subject rights.
CSP Act 2024Immutable audit trail, KYC/AML screening workflows, and retention aligned to CSP record-keeping obligations (≥5 years).
Companies Act 1967Resolutions, filings and deadline logic encode the actual statutory requirements enforced by ACRA.

Certifications & roadmap

We believe in stating our security posture honestly. Below is what is in place today and what is planned. We do not claim certifications we do not hold.

In place
Encryption in transit & at restTLS in transit; platform-level encryption at rest.
In place
Singapore data residencyHosted in Vercel sin1.
In place
Append-only audit loggingINSERT-only audit trail across the product.
Planned
SOC 2 Type IIOn our roadmap; not yet certified.
Planned
ISO/IEC 27001On our roadmap; not yet certified.

Doing security due diligence?

We’re happy to walk your team through our controls, complete a vendor questionnaire, or sign a Data Processing Agreement before you go live.

Related: Privacy Policy · Terms of Service · Data Processing Agreement