Readyloop

Security

Last updated: July 15, 2026

Readyloop is built for teams preparing AI compliance evidence. We take a practical security posture appropriate to an early SaaS product—honest about what we do and what we don't claim yet.

Access control

  • Authentication via Clerk (hosted identity)
  • Workspace data scoped by organization membership in Convex; mutations require an authenticated member with edit rights
  • Auditor links are tokenized, expiring, and revocable
  • API keys are stored as SHA-256 hashes; the raw key is shown once at creation and can be revoked anytime

Encryption & infrastructure

  • TLS in transit for the site (Vercel) and Convex API
  • Data at rest is stored in Convex's managed database and file storage (provider-managed encryption at rest)
  • Hosting on Vercel; identity on Clerk; optional payments on Stripe
  • We do not operate our own physical datacenters—security inherits from these subprocessors' controls

Evidence & integrity

  • On attach we store a pointer fingerprint and attempt to archive a snapshot of the URL body (up to 2MB) with a SHA-256 body hash
  • If the URL is behind auth or unreachable, snapshot may fail—you can upload a file snapshot manually
  • Evidence older than 90 days is flagged stale on Overview; Refresh re-verifies and re-captures when possible

Backups, retention & deletion

  • Convex provides managed durability/backups for the application database as part of their platform
  • You can export workspace JSON anytime (export guide)—we recommend keeping your own compliance copy
  • After an account deletion request, we delete or anonymize workspace data within 30 days (see Privacy), except where retention is required for security or legal reasons
  • Revoking an auditor link immediately stops new access via that token; snapshot file URLs for captured evidence are bearer URLs—delete evidence to revoke file access

Access logging

We retain application-level ingest logs (event type, success/failure, timestamp) in the workspace for operators. We do not currently expose a full end-user audit trail UI; platform access logs live with Clerk / Convex / Vercel. Contact us if you need a specific access report for diligence.

Subprocessors

Clerk, Convex, Vercel, and Stripe (when billing is enabled). Optional SMTP provider for digests. Details in Privacy.

Report an issue

Email hello@getreadyloop.com with details. We aim to acknowledge security reports within 2 business days.