Skip to content

Trust center · v2026-06

Security & compliance.

The channel data you upload — VAR org trees, rep emails, account ownership — is some of the most sensitive in your business. Here's exactly how we protect it.

Pillars

How your data is protected.

Encryption everywhere

Your data is encrypted in flight and at rest with industry-standard ciphers.

  • TLS 1.2+ on every connection — HTTPS enforced
  • Encryption at rest for the Postgres database (AES-256, managed by Supabase)
  • CRM OAuth credentials encrypted at rest (AES-256-GCM, application layer)
  • Secrets kept in the platform's encrypted env store — never in source control

Tenant isolation

Every query is scoped by organizationId — your data never crosses workspaces.

  • Every database row carries an organizationId column
  • Server-side requireOrg() guard enforces the scope on every page + action
  • Composite indexes on (organizationId, …) make scoping the fast path
  • No shared caches between tenants — keys include organizationId

Identity & access

Clerk-backed authentication with password security, MFA, and SSO support on every plan.

  • Bcrypt password hashing (configurable strength) — handled by Clerk
  • TOTP + WebAuthn / passkeys for second factor
  • SAML 2.0 SSO with major IdPs (Okta, Azure AD, Google Workspace)
  • SCIM 2.0 provisioning for automated joiner / mover / leaver
  • Per-org roles: Admin, Member, Viewer — least-privilege by default

Audit logging

Every privileged action — sign-in, import, export, role change — is recorded.

  • Immutable AuditEvent ledger per organization
  • Captures actor, action, entity, IP, user agent, and JSON metadata
  • Configurable retention (90 days / 1 year / indefinite)
  • CSV export with full filter support for evidence collection
  • PERMISSION_DENIED events for privilege-escalation attempts

Frameworks

Compliance posture, honestly stated.

FrameworkStatusDetail
SOC 2 Type IIIn progressIn progress — security controls implemented and being documented. Not yet audited or certified.
GDPRReadyDPA available. Per-person erasure + organization-wide data-wipe tooling built into the product. (EU representative not yet appointed.)
CCPA / CPRAReadySame erasure + portability tooling as GDPR. Privacy policy enumerates data categories.
ISO 27001In progressOn the roadmap after SOC 2 Type II — not yet started. Listed for transparency, not as a current control set.

Documents

The document library.

Security overview one-pager

This trust center in packet form, for vendor-review and procurement files.

Available on request via security@varconduit.com

CAIQ-Lite questionnaire

A pre-filled CAIQ / SIG-Lite style self-assessment — honest gaps included.

Available on request via security@varconduit.com

Disclosure & contact

Found a vulnerability or have a compliance question? We'd rather hear from you than read about it later.

security@varconduit.com

Last reviewed · June 2026