Current security posture, stated plainly.

PhaseFolio is built for asset-level biotech valuation and diligence metadata: indication, modality, clinical stage, costs, deal terms, source citations, and scenario assumptions.

PhaseFolio is not a patient-data system. Do not enter Protected Health Information, patient-level records, medical charts, genetic test results tied to an individual, or other regulated clinical data.

• Authentication is handled through Clerk-managed identity infrastructure.
• Product access is organization-scoped, with role-based permissions in the app layer.
• Write access is restricted by organization role; viewer roles fail closed.
• Pilot data is provisioned in an isolated organization, never a shared demo workspace.
• Public research, methodology, and verification surfaces do not require an account.

• Frontend hosting and edge serving run on Vercel.
• Application data is stored in Supabase PostgreSQL.
• The backend computation API runs separately from the database host.
• Transport uses HTTPS/TLS; production secrets are managed through platform environment stores.
• PhaseFolio does not process card payments in product and does not store card or bank details.

PhaseFolio records material product actions as audit events and preserves issued signed-export records so reports can remain verifiable after publication.

Every signed export carries a content hash plus engine, methodology, and benchmark version metadata. The public verification endpoint confirms authenticity and version provenance without exposing the report contents.

PhaseFolio does not currently claim SOC 2 Type II, ISO 27001, HIPAA, or a formal GDPR compliance attestation. Those will be pursued when customer demand and operational maturity justify the audit work.

Until then, the public security posture is deliberately explicit: what is implemented, what data is in scope, what is out of scope, and which artifacts are independently verifiable.

• Clerk for identity and authentication.
• Vercel for frontend hosting and edge delivery.
• Supabase for managed PostgreSQL database infrastructure.

Report suspected vulnerabilities, authorization issues, or data-handling concerns to contact@phasefolio.com. Please avoid public disclosure until PhaseFolio has had a reasonable opportunity to investigate and remediate.