How financial data is handled across the Sprint and the Engagement.
Two pathways for financial data. One for the 10-day Sprint, where data flow is export-based and time-bounded. One for the ongoing Engagement, where data flow is continuous and lives inside an isolated, named-user environment. Documented in plain language for the operator, with the technical specifics named for procurement.
Sprint and Engagement use different access shapes.
The shape of access is different because the work is different. The Sprint is a fixed window with agreed exports. The Engagement is a continuous monthly cadence inside a per-client isolated environment. Same standard either way; see the comparison footer below.
Six dimensions named below: how access is granted, how long it runs, where the data sits, how it moves, what leaves the firm, and how the relationship ends.
A closed window.
A monthly loop.
The technical layer.
Three layers, named, with the control standard at each layer documented. Database, application, portal. Each layer carries the standard procurement reviewers ask for, named explicitly rather than implied. Read top to bottom: a request enters at the portal, passes through the application, and lands at the database, which is where the data actually lives.
Named users, role-scoped, audit-ready.
Next.js · Session-based auth · MFA · Configurable expiry
User-to-client mapping enforced through user_client_map. Role-based view restrictions. MFA enforced on all Portal accounts. SSO available on request. Named-user audit log exportable at any time. Sessions expire on a configurable schedule; a named user can be revoked in minutes, not days.
Encrypted in transit and at rest. No exceptions.
Python FastAPI · TLS 1.2+ · AES-256
Service-role keys only for backend access. No long-lived bearer tokens shared with operators. Every connection terminates TLS 1.2 or higher, and every persisted byte sits behind AES-256.
Per-client isolation enforced in SQL.
Supabase Postgres · Row-level security · 7-day PITR
Every query is scoped to the requesting user's mapped clients through row-level security. A named user only ever sees the clients they are mapped to. Daily automated snapshots with seven-day point-in-time recovery.
AI-assisted, founder-reviewed, not retained or trained on.
AI-assisted analysis is used during the Sprint build and during monthly Engagement cycles for data preparation, reconciliation, anomaly surfacing, and draft commentary. Every output is reviewed by the founder before delivery or publication. Nothing reaches a client unreviewed.
AI calls route through OpenRouter to Anthropic. Prompts are not logged by default and your data is not used to train models. Data is sent per query only. The query layer (Ask Your Numbers) operates under the same terms.
AI is mechanism, not headline. The credibility carrier is the reviewed pack, not the model behind it.
Sydney by default. Other regions on request.
The Engagement database sits in Supabase's Sydney region by default. The API layer sits in Singapore for latency reasons; data passes through encrypted in transit and is not retained there.
If your procurement requires a specific regional commitment in writing, Sydney, Frankfurt, US-east, or another supported region, an alternative region can be provisioned before the Engagement begins. For Sprint clients without ongoing Portal access, residency is determined by the working environment used during the build window, which is documented on request.
You leave with the calculation engine.
The Excel model is client-owned from day one of the Sprint. It contains the full calculation engine: three-way forecast, working-capital cycle, KPI logic, scenario layer, and assumption block.
If the Engagement ends, the workbook stays with you. The Portal is decommissioned. A full CSV export of historical data is provided. There is no proprietary system that must be subscribed to in order to keep using the work, and no part of the calculation logic that lives somewhere you cannot see.
The Portal is optional. Clients who prefer it can stay fully export and Excel based, with no hosted surface.
Yours from day one.
Contains the full calculation engine. Client-owned the moment the Sprint begins.
- Three-way forecast
- Working-capital cycle
- KPI logic
- Scenario layer
- Assumption block
- Open audit trail
Ends within 30 days of notice.
Decommissioned on exit. No orphan data, no dormant accounts, no lingering access.
- Sessions terminated
- Named users disabled
- Database isolation closed
- Audit log sealed
Full CSV export provided.
Every cycle. Client retains the full record. Format documented in writing.
- All cycles · all packs
- Schema documented
- No proprietary blockers
- Self-reusable in Excel
Running a security review? Here is the packet.
A security overview is available covering infrastructure, controls, data handling, residency, exit terms, and a procurement FAQ. Covers the questions most review teams ask before they ask them.
A sub-processor list (naming the outside services that handle client data: Supabase, Render, Vercel, OpenRouter, Anthropic, Dropbox) and a Data Processing Agreement (DPA) are both available on request.
For specific questions, email security@infraxus.com or raise it on the fit call. Better to answer a hard procurement question upfront than to find out about it three weeks into the Engagement.
The Control Sprint is a fixed $5,000 fee with a full refund available for 7 days after the delivery call.