Security is not a feature.
It's the foundation.
Your fundraising data is some of the most sensitive information your company has. We treat it that way. Fund54 is built with security at every layer of the stack.
Six layers of protection
Encryption in Transit
All data transmitted between your browser and Fund54 is encrypted using TLS 1.3. API calls, file uploads, and authentication tokens are always protected.
HTTPS everywhere, HSTS headers, certificate pinning.
Encryption at Rest
Your database and file storage are encrypted at rest using AES-256. Data room files are stored in isolated, encrypted object storage with server-side encryption.
AES-256-GCM, automatic key rotation.
Row-Level Security (RLS)
Every database query is scoped to the authenticated user via Postgres Row-Level Security policies. Users only access data they are explicitly authorized to see. No exceptions.
Enforced at the database layer, not the application layer.
Signed URLs for Files
Data room files are served through time-limited signed URLs that expire automatically. No permanent links to sensitive documents exist.
URLs expire after 60 minutes. Every access is authenticated.
Comprehensive Audit Logs
All data room access, file views, profile visits, and permission changes are logged with timestamps, user identifiers, and IP addresses.
Founders see exactly who viewed their materials and when.
Authentication & Sessions
Secure authentication powered by Supabase Auth with JWT tokens, automatic session refresh, rate-limited login attempts, and secure HttpOnly cookies.
Magic link auth, bcrypt password hashing, CSRF protection.
How your data flows
Every request passes through multiple security checkpoints before reaching your data.
Security practices
Beyond encryption and access control, here's what we do to keep your data safe.
Role-Based Access Control
Fine-grained RBAC with 22 permission types across 7 roles. Control who can edit profiles, manage data rooms, invite members, and more.
Rate Limiting
All API endpoints and authentication flows are rate-limited to prevent brute force attacks and abuse.
Input Validation
All user inputs are validated and sanitized server-side. SQL injection, XSS, and CSRF attacks are prevented by design.
Dependency Security
We regularly audit and update all dependencies. Known vulnerabilities are patched within 48 hours of disclosure.
Data Isolation
Each workspace is completely isolated. There is no way for one workspace to access another's data, even at the database level.
No Third-Party Tracking
We do not use third-party analytics, tracking pixels, or ad networks. Your fundraising data stays between you and Fund54.
Have a security concern?
If you discover a vulnerability or have questions about our security practices, we want to hear from you.