Security & Trust

Last updated: April 23, 2026

Shortlist is built for teams evaluating high-stakes software decisions. The rigor we apply to scoring vendors is the same rigor we apply to protecting the data you bring into the platform. This page summarizes our security posture, subprocessors, and how to request documentation for your review.

1. Security Posture

Shortlist runs on encrypted, access-controlled infrastructure with security hardening applied at the network, application, and database layers. Highlights:

  • Encryption in transit: TLS 1.2+ enforced across all customer-facing surfaces (HSTS preload-ready).
  • Encryption at rest: AES-256 on the primary database (Supabase / Postgres 17) and storage volumes.
  • Authentication: Email + password with optional magic-link, session rotation, and leaked-password screening.
  • Authorization: Row-Level Security (RLS) enforced on every customer-accessible Postgres table.
  • Application headers: Strict CSP with nonce enforcement, X-Frame-Options: DENY, XSS-Protect, Referrer-Policy strict-origin-when-cross-origin.
  • Rate limiting: Per-IP and per-account rate limits on authentication and mutation endpoints (Upstash Redis).
  • Audit logging: Mutation events on sensitive resources are written to an append-only audit log.

2. Compliance Roadmap

Shortlist is a pre-commercial-launch platform as of April 2026. Our compliance posture is transparent and iteratively hardening:

  • SOC 2 Type I: In progress — readiness assessment underway; targeted completion Q3 2026.
  • SOC 2 Type II: Planned — 6 months after Type I report.
  • GDPR: Roadmap. Data Processing Agreements with customers and subprocessors are scheduled alongside the SOC 2 Type I readiness track. EU data-residency roadmap noted below.
  • HIPAA: Not supported today. We do not recommend storing Protected Health Information (PHI) in Shortlist at this time.
  • ISO 27001: Roadmap — 2027.

If your procurement process requires a specific certification we don't yet carry, email hello@tryshortlist.app with your requirement and timeline and we'll share our current posture and roadmap in detail.

3. Data Residency

Customer data is processed and stored in the United States (AWS us-east-1). This covers the primary Postgres database (Supabase, us-east-1), edge compute (Vercel, iad1 / us-east-1), and background job queues (Upstash, us-east-1).

EU-resident data residency is on our roadmap. If this is a hard requirement for your procurement, please contact us before trialing Shortlist.

4. Subprocessors

Shortlist uses the following third-party subprocessors to deliver the platform. All subprocessors are reviewed for security posture, and data shared with each is limited to the minimum required to operate the platform.

SubprocessorPurposeData region
SupabasePrimary database, auth, storageUS (us-east-1)
VercelEdge hosting, serverless functionsUS (iad1)
AnthropicAI model inference (Claude)US
OpenAIAI model inference (embeddings, fallback)US
UpstashRate limiting, cache, queues (Redis)US (us-east-1)
SentryApplication error monitoringUS
StripeBilling and paymentsUS
ResendTransactional email deliveryUS
CloudflareDNS, edge network, browser renderingGlobal edge
GitHubSource control and CI/CD pipelinesUS
TavilyVendor enrichment search APIUS
ApifyVendor enrichment web dataUS
BuiltWithVendor technographicsUS
PerplexityVendor enrichment searchUS
LIXVendor enrichment intelligenceUS

Material changes to this subprocessor list (additions, removals, regional changes) will be announced via email to account owners at least 30 days before taking effect, unless an urgent security or availability reason requires a faster change.

5. Data Processing Agreement (DPA)

A Data Processing Agreement is available on request for all paid plans and for enterprise evaluations. To request a DPA, email hello@tryshortlist.app with your legal-entity name, jurisdiction, and any required addenda (e.g., SCCs for EU transfers). We aim to turn around DPAs within 3 business days.

6. Vulnerability Disclosure

If you believe you've found a security vulnerability in Shortlist, please report it responsibly to security@tryshortlist.app. Please include reproduction steps, the affected endpoint, and your contact information. Our target response targets:

  • Acknowledge receipt within 2 business days.
  • Provide an initial severity assessment within 5 business days.
  • Coordinate a remediation timeline with you and credit responsible disclosures in our changelog if you consent.

We do not operate a paid bug bounty program at this time. Please do not conduct destructive testing, access other customers' data, or exfiltrate data.

7. Data Retention & Deletion

Customer data is retained for the active life of your account plus 30 days to support account recovery. You can request full deletion at any time by emailing hello@tryshortlist.app. Backups are rotated on a rolling 30-day window.

Requests for data access, portability, or rectification can be sent to the same address. Our target turnaround is 30 days, consistent with GDPR Article 12.

8. Breach Notification

In the event of a confirmed data breach that affects your organization's data, we will notify affected account owners within 72 hours of confirmation — consistent with GDPR Article 33/34 obligations. Notice will describe the nature of the breach, the data involved, the likely consequences, and the remediation steps we have taken or will take.

9. Contact

General security questions: security@tryshortlist.app
Privacy and data-handling questions: hello@tryshortlist.app

Related: Privacy Policy · Terms of Service