Security

How financial data is handled across the Sprint and the Engagement.

Two pathways for financial data. One for the 10-day Sprint, where data flow is export-based and time-bounded. One for the ongoing Engagement, where data flow is continuous and lives inside an isolated, named-user environment. Documented in plain language for the operator, with the technical specifics named for procurement.

ResidencySydney by default
Excel modelClient-owned from day one
ProcurementOne-pager available
Data Handling · v.2026.1
Pathways

Sprint and Engagement use different access shapes.

The shape of access is different because the work is different. The Sprint is a fixed window with agreed exports. The Engagement is a continuous monthly cadence inside a per-client isolated environment. Same standard either way; see the comparison footer below.

Six dimensions named below: how access is granted, how long it runs, where the data sits, how it moves, what leaves the firm, and how the relationship ends.

DimensionCompared
01 / Pathway Sprint 10 business days · export-based
02 / Pathway Monthly · named-user portal
AAccess type
Read-only or export-based.No write access to your accounting system
Portal accounts. Named users only.No shared logins
BDuration
10 business days from data receipt.Fixed window, then archived
Monthly, 30 days' notice from either side.Either party may end
CStorage
Encrypted working environment for the build window.AES-256 at rest, TLS in transit
Per-client isolation. Row-level security, every query scoped to the user's clients.Postgres RLS
DData flow
You provide agreed exports. We work from those exports.No live integration
Monthly accounting export plus operating data agreed at scoping.Live integration optional
EOutputs
Delivered only to the contacts you name.NDA available on request
Portal access for named users. Reviewed pack each cycle.CSV export at any time
FExit
Model and decision pack handed over.Working files retained briefly for support, then archived
Portal access ends within 30 days of notice. Excel model stays with you.Full historical CSV export provided
Same standard
Encryption, founder review, named-user audit, and exit ownership are identical across both pathways. The shape of access changes; the standard does not.
Controls

The technical layer.

Three layers, named, with the control standard at each layer documented. Database, application, portal. Each layer carries the standard procurement reviewers ask for, named explicitly rather than implied. Read top to bottom: a request enters at the portal, passes through the application, and lands at the database, which is where the data actually lives.

Architecture · 3 Layers Stack 03 → 01
Layer 03 Portal Surface

Named users, role-scoped, audit-ready.

Next.js · Session-based auth · MFA · Configurable expiry

AUTHMAPROLEAUDIT

User-to-client mapping enforced through user_client_map. Role-based view restrictions. MFA enforced on all Portal accounts. SSO available on request. Named-user audit log exportable at any time. Sessions expire on a configurable schedule; a named user can be revoked in minutes, not days.

Layer 02 Application Service

Encrypted in transit and at rest. No exceptions.

Python FastAPI · TLS 1.2+ · AES-256

TLSAESKEYSROUTE

Service-role keys only for backend access. No long-lived bearer tokens shared with operators. Every connection terminates TLS 1.2 or higher, and every persisted byte sits behind AES-256.

Layer 01 Database Foundation

Per-client isolation enforced in SQL.

Supabase Postgres · Row-level security · 7-day PITR

RLSPER-CLIENTPITRSNAPSHOT

Every query is scoped to the requesting user's mapped clients through row-level security. A named user only ever sees the clients they are mapped to. Daily automated snapshots with seven-day point-in-time recovery.

Hosting Hosted on Supabase, Render, and Vercel, each SOC 2 Type II attested. Attestation links available on request. Attestation applies to those providers; Infraxus does not hold its own SOC 2 attestation.
SupabaseRenderVercel
Operator controls Infraxus is founder-operated, so the operator's own access is part of the security boundary. MFA is enforced on every account that touches client data, hosting, database, application, email, and AI provider. Admin credentials are held in 1Password. Devices are disk-encrypted. Client working data lives in access-controlled, MFA-gated cloud storage, never on local disk.
Incident response If a security incident affecting your data is confirmed, you are notified within 72 hours with what happened, what was affected, and the remediation taken. Handled directly by the operator, consistent with the AU Notifiable Data Breaches scheme and the NZ Privacy Act 2020.
Data handling Data is exchanged by a method agreed with each client and stored in access-controlled, MFA-gated cloud storage, never on local disk.
AI Handling

AI-assisted, founder-reviewed, not retained or trained on.

AI-assisted analysis is used during the Sprint build and during monthly Engagement cycles for data preparation, reconciliation, anomaly surfacing, and draft commentary. Every output is reviewed by the founder before delivery or publication. Nothing reaches a client unreviewed.

AI calls route through OpenRouter to Anthropic. Prompts are not logged by default and your data is not used to train models. Data is sent per query only. The query layer (Ask Your Numbers) operates under the same terms.

AI is mechanism, not headline. The credibility carrier is the reviewed pack, not the model behind it.

Trace · per-query
Req req_zdr_a7f3 Routed openrouter ▸ anthropic
REVIEW GATED
01 Origin scope: per-querypayload: scoped exports t = 0 msCLIENT
02 OpenRouter routing: pass-throughlog: disabled t = 12 msTRANSIT
03 Anthropic retention: not loggedtraining: excluded t = 180 ms
04 Founder review required: yesblocking: yes manual gateREVIEW
05 Delivery output: reviewed onlychannel: pack · portal to clientFINAL
Retention0
TrainingExcluded
ReviewRequired
Data Residency

Sydney by default. Other regions on request.

The Engagement database sits in Supabase's Sydney region by default. The API layer sits in Singapore for latency reasons; data passes through encrypted in transit and is not retained there.

If your procurement requires a specific regional commitment in writing, Sydney, Frankfurt, US-east, or another supported region, an alternative region can be provisioned before the Engagement begins. For Sprint clients without ongoing Portal access, residency is determined by the working environment used during the build window, which is documented on request.

Residency · v.2026.1
02 / RegionAPI · Transit
SIN
LAT1.35° N
LON103.82° E
ProviderRender
TransitTLS 1.2+
01 / RegionDatabase · Primary
SYD
LAT33.86° S
LON151.21° E
ProviderSupabase
StorageAES-256
On request
Sydney Frankfurt US-east + supported regions
Provisioned pre-engagement
Exit

You leave with the calculation engine.

The Excel model is client-owned from day one of the Sprint. It contains the full calculation engine: three-way forecast, working-capital cycle, KPI logic, scenario layer, and assumption block.

If the Engagement ends, the workbook stays with you. The Portal is decommissioned. A full CSV export of historical data is provided. There is no proprietary system that must be subscribed to in order to keep using the work, and no part of the calculation logic that lives somewhere you cannot see.

The Portal is optional. Clients who prefer it can stay fully export and Excel based, with no hosted surface.

Handover · Manifest
Dochandover_manifest.v.2026.1 Items 3 / 3
01 / 03
Excel model

Yours from day one.

Contains the full calculation engine. Client-owned the moment the Sprint begins.

  • Three-way forecast
  • Working-capital cycle
  • KPI logic
  • Scenario layer
  • Assumption block
  • Open audit trail
OwnershipClient Day 1 · Yours
02 / 03
Portal access

Ends within 30 days of notice.

Decommissioned on exit. No orphan data, no dormant accounts, no lingering access.

  • Sessions terminated
  • Named users disabled
  • Database isolation closed
  • Audit log sealed
OwnershipEnds 30-day · Decommissioned
03 / 03
Historical data

Full CSV export provided.

Every cycle. Client retains the full record. Format documented in writing.

  • All cycles · all packs
  • Schema documented
  • No proprietary blockers
  • Self-reusable in Excel
OwnershipClient Exported · Yours
No lock-in The calculation engine lives in Excel. The Portal is presentation. Both leave with you. v.2026.1
Procurement

Running a security review? Here is the packet.

A security overview is available covering infrastructure, controls, data handling, residency, exit terms, and a procurement FAQ. Covers the questions most review teams ask before they ask them.

A sub-processor list (naming the outside services that handle client data: Supabase, Render, Vercel, OpenRouter, Anthropic, Dropbox) and a Data Processing Agreement (DPA) are both available on request.

For specific questions, email security@infraxus.com or raise it on the fit call. Better to answer a hard procurement question upfront than to find out about it three weeks into the Engagement.

The Control Sprint is a fixed $5,000 fee with a full refund available for 7 days after the delivery call.

Security one-pager · v.2026.1 Page 1 / 1