Trust & Security
We're a small team. Here's exactly what we do with your data, how we protect it, and where we stand on compliance.
Last updated:
Here's what you should know
We don't sell your data. Never have, never will. Your team's information is not a product.
We collect very little. Email, name, training progress, quiz scores, and attestation timestamps. That's the full list.
Your team's data is siloed. Row-level security is enforced at the database layer. No company can see another company's records.
Passwords are never stored in plaintext. Authentication is handled by Supabase Auth with industry-standard hashing. We never see your password.
We're a small team being honest with you. We're not SOC 2 certified yet. Below, we explain exactly what we do have in place and where we're headed.
You can request data deletion. Email us at
admin at top10devtraining dot comand we'll handle it promptly.
What We Collect
We collect only what the product needs to function. Nothing more.
| Data | Why |
|---|---|
| Email address, full name | Account identity and login |
| Training progress and quiz scores | Core product functionality |
| Attestation timestamps | Your compliance evidence and audit trail |
| Company name and domain | Multi-tenant account isolation |
We use PostHog for product analytics, capturing page views and navigation patterns to improve the platform. We do not track your employees across other websites, run advertising pixels, or build marketing profiles on your team.
What We Don't Do
- Sell or share your data with third parties for commercial purposes
- Run advertising or build marketing profiles on your employees
- Access your team's data without a support request from you
- Store payment card data. All billing is handled by Stripe (PCI DSS Level 1). Card data never touches our servers.
- Transfer your data internationally (all data stays in U.S. regions)
Infrastructure & Security
Hosting: Netlify
HTTPS enforced on all traffic. Global CDN. No plaintext data in transit.
Database & Auth: Supabase (PostgreSQL on AWS)
Data encrypted at rest. Row-level security (RLS) enforced at the database layer, not just the application layer. Supabase Auth handles all password storage using secure hashing. We never store or see plaintext passwords. Optional social sign-in via GitHub and Google OAuth is also available. In those flows, the OAuth provider verifies your identity and shares only your email address and display name with us.
Payments: Stripe
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Payment card data is entered directly into Stripe's hosted interface and never touches our servers. We store only a Stripe customer ID and purchase history.
Transactional Email: ZeptoMail (Zoho)
Invitation and notification emails are delivered via ZeptoMail (Zoho). Password reset emails are delivered separately by Supabase. Only the recipient email address and message content are transmitted. No marketing or tracking is involved.
Product Analytics: PostHog
We use PostHog to understand how the platform is used. Data collected includes page views, navigation events, and your Supabase user ID. Data is sent to PostHog's U.S. cloud at us.i.posthog.com. We do not use PostHog for advertising. Data is not shared with third parties for commercial purposes.
Access Controls
Company admins see only their company's data. Learners see only their own records. Platform-level access is restricted to a single administrator account. Multi-factor authentication (TOTP) is available to all users and can be required at the company level by administrators.
Data Isolation
Every company's data is isolated from every other company at the database level using row-level security (RLS) policies in PostgreSQL. This is not just an application-layer check. Even if there were a bug in the application code, the database itself would reject any query that attempts to read another company's records.
Subprocessors
We use a small, intentional list of third-party vendors. No surprises.
| Vendor | Purpose | Location |
|---|---|---|
| Netlify | Application hosting and CDN | U.S. |
| Supabase (on AWS) | Database, authentication, and session management | U.S. |
| Stripe | Payment processing (PCI DSS Level 1) | U.S. |
| ZeptoMail (Zoho) | Transactional email (invitations, notifications). Password resets are delivered separately by Supabase. | U.S. |
| PostHog | Product analytics (page views, feature usage) | U.S. |
| GitHub (Microsoft) | Optional OAuth identity provider | U.S. |
| Optional OAuth identity provider | U.S. |
Compliance & Certification
We're an early-stage company. Pursuing SOC 2 Type II certification is on our roadmap, but the cost and overhead is not yet justified at our current scale. We believe being honest about this is more trustworthy than vague enterprise language.
What we do have:
- HTTPS enforced everywhere, no exceptions
- Database-level row-level security on all tenant data
- Passwords hashed using Supabase Auth (bcrypt-based, never stored in plaintext)
- Least-privilege access controls (company admins, learners, platform admin)
- Data hosted exclusively in U.S. AWS regions via Supabase
- No unnecessary data collection, retention, or sharing
- Multi-factor authentication (TOTP) available platform-wide. Company administrators can enforce it as a policy requirement for all team members.
- GitHub and Google OAuth use email-only scope. We request no write permissions and hold no persistent access tokens to third-party accounts.
Billing & Payments
Billing is processed by Stripe, a PCI DSS Level 1 certified payment processor. When you purchase training credits, payment card data is entered directly in Stripe's hosted checkout interface and is never transmitted to or stored on our servers. We receive only a Stripe customer ID and purchase status.
You can purchase credits, manage assignments, and view purchase history in your company billing settings at any time.
Data Deletion & Retention
Your data is retained for as long as your account is active. If you close your account or wish to have your data removed, email us at admin at top10devtraining dot com. We will acknowledge your request within 5 business days and complete deletion within 30 days.
Some data may be retained in anonymized or aggregated form for product improvement purposes only.
Contact
Questions about security, data handling, or this page? Reach us at admin at top10devtraining dot com. We respond to all security and privacy inquiries personally.