Trust

Security at SPACPilot

Infrastructure

SPACPilot runs on managed cloud infrastructure with data stored in Postgres. Backups are automated, connections are encrypted with TLS in transit, and production access is restricted to a small set of authorized operators.

Tenant isolation

Every record in SPACPilot is scoped to your sponsor workspace. Application-level tenancy checks run on every query, so one sponsor team can never see another's data — including in shared views like the auditor and investor portals.

Encryption of sensitive data

Investor tax identifiers (SSN/EIN) are encrypted at the application layer with AES-256 before they reach the database, in addition to disk-level encryption at rest. The production system refuses to store this PII in plaintext.

Authentication and administration

Passwords are stored as bcrypt hashes and sessions use signed, HTTP-only cookies. SPACPilot's own administrative console is protected by TOTP two-factor authentication, and every administrative action is written to an immutable audit log with actor, action, and IP address.

Your data stays yours

You can export your full workspace at any time. We do not sell your data, and the service partners we may refer (brokerage, money managers, auditors) never receive your data without your explicit action.

Reporting a vulnerability

Found something? Email [email protected] and we'll respond quickly. We appreciate coordinated disclosure.