Security at EvenRound.

Group data sits in a managed Postgres instance hosted by Supabase in Frankfurt. Receipt attachments live in Vercel Blob, also pinned to EU regions. No data crosses the Atlantic in normal operation.

We snapshot the database with point-in-time recovery enabled. Backups stay inside the EU.

We don't store passwords. Each group member is identified by a per-group token sent to them via a magic link. The token is stored in an HTTP-only, HMAC-signed cookie so it can't be read or forged from the client.

Tokens scope to a single group. Compromise of one group's session doesn't expose any other group.

Everything moves over TLS 1.2+ in transit, full-stop. At rest, the database and blob storage are encrypted with provider-managed keys (AES-256). Receipt images uploaded for OCR are processed and then deleted from the AI provider - they aren't retained for training.

Every table that contains group data is protected by Row-Level Security in Postgres. Plain English: a request scoped to group A can only ever see rows belonging to group A, regardless of what the application code does. The policy lives in the database itself.

Internal access to production is gated by short-lived OIDC tokens and a small allowlist of engineers. There is no shared-credential access.

Found something? Email security@evenround.com. We acknowledge inside 48 hours and respond with an assessment inside 90 days. If you'd like a PGP key, ask in your first email.

Please don't run scanners against production at scale, exfiltrate data, or test on groups you didn't create. We won't pursue good-faith research that follows that line.

We're a small team and we're honest about where we are. EvenRound is built on infrastructure (Vercel, Supabase) that already carries SOC 2 and ISO 27001 attestations. Our own roadmap:

• SOC 2 Type II - targeted for late 2026.
• ISO 27001 - alignment in 2026, certification in 2027.
• EU-US Data Privacy Framework - not needed today (EU-only data path).
• GDPR - yes, see Privacy and DPA.