How we protect your data.

Sign-in is magic-link only via Supabase Auth. We store zero passwords. Auth emails are sent through Resend from auth@stack-match.io over TLS.

All data is encrypted in transit via HTTPS and at rest via Supabase's managed Postgres (AES-256). Our hosting provider (Vercel) and database provider (Supabase) both run on hyperscaler infrastructure with SOC 2 Type II attestation.

Every user-data table enforces Postgres RLS policies. Users can only read/write their own rows. Admin access is gated behind an explicit is_admin flag and separate policies.

API keys (Anthropic, Resend, Stripe, Supabase service-role) are stored only in Vercel environment variables, never in source control. Server-side routes are the only place they're read.

Submission endpoints (tool submissions, RFPs, vendor responses) are throttled to prevent spam and abuse: 3 tool submissions per email per 24h, 3 RFPs per buyer per 24h, 10 vendor pitches per vendor per 24h.

We sell aggregated, anonymized intent signals to vendors — never individual user information. Specific users, emails, company names, and RFP contents are never exposed without the buyer's explicit unmask action.

All community reviews shown on tool pages are from real users. All editorial reviews are bylined StackMatch Editorial and clearly marked as independent analyst commentary. We do not accept payment for verdicts.

We are working toward SOC 2 Type I to validate our control environment. Expected vendor: Drata or Vanta. Timeline: 3-6 months from audit kickoff.

Type II observation period begins after Type I completion.

We are drafting a standard DPA for vendor and enterprise customers who require one. If you need one now, email legal@stack-match.io and we'll expedite.

Annual third-party pentest, scoped to include the platform application and authentication surface.