Assesr
Trust & Security

Your data is
secure by design

Assesr handles sensitive commercial finance data. Security isn't a feature we added — it's the foundation everything is built on. Here's exactly how we protect you.

AES-256 encryptionBank-grade data encryption
SOC 2 infrastructureCertified cloud providers
GDPR alignedData protection by design
PCI DSS paymentsStripe Level 1 certified

Assesr is built to the same security standards as major financial institutions. Your deal data, documents, and communications are protected by enterprise-grade encryption, strict access controls, and infrastructure trusted by millions of businesses worldwide. We handle sensitive commercial finance data every day — protecting it is our highest priority.

Same security standards as major financial institutions

  • AES-256 encryption at rest — the same standard mandated for banks. Used by HSBC, Barclays, and every major financial institution. Approved by the NSA for Top Secret classified data.
  • TLS 1.3 in transit — the latest and most secure transport protocol. Banks require TLS 1.2 minimum; Assesr uses 1.3.
  • Passwordless authentication — many banks still rely on passwords. Assesr has eliminated that entire attack vector with magic links and OAuth 2.0.
  • Row-Level Security on every database table — enterprise-grade, database-level access control. Most startups only enforce access in application code, which is weaker. Assesr enforces it at the database itself.
  • Timing-safe secret comparisons — a security practice that most startups skip entirely. Banks and payment processors like Stripe use this to prevent side-channel attacks. So does Assesr.

Enterprise-grade encryption

  • AES-256 is classified as enterprise-grade encryption — that's not marketing language, it's the actual security classification. It's the strongest commercially available symmetric encryption.
  • TLS 1.3 provides forward secrecy, meaning even if a key were compromised in the future, past communications remain protected.
  • HSTS with preload ensures your browser will never connect to Assesr over an unencrypted connection, even accidentally.

Strict access controls

  • Role-Based Access Control (RBAC) with 5 distinct roles — borrower, broker, lender, partner, admin — each with precisely scoped permissions, enforced server-side.
  • Row-Level Security on every table — even if a bug existed in application code, the database itself blocks unauthorised access.
  • Role assignments processed exclusively through server-side functions with strict input validation — the database rejects direct client-side role modifications entirely.
  • Admin role protected by multi-layered defence: input validation rejects it before processing, database policies block direct writes, and RPC functions verify existing admin status before granting privileges.
  • Document ownership verification on every single access request.
  • Sensitive actions require re-authentication within a 30-minute window.
  • File uploads validated at three levels: extension, MIME type, and binary signature verification.

Infrastructure trusted by millions of businesses worldwide

  • Cloudflare — powers ~20% of all websites globally. Used by Fortune 500 companies, governments, and financial institutions. Provides WAF, DDoS protection, and edge security.
  • Supabase — built on PostgreSQL, the world's most advanced open-source database. SOC 2 Type II certified. Used by hundreds of thousands of companies.
  • Stripe — processes hundreds of billions in payments annually. PCI DSS Level 1 certified. Trusted by Amazon, Google, Shopify, and millions of businesses worldwide.

We don't claim to be “unhackable” — no one can. We don't claim certifications we don't hold. What we do have is the same encryption, the same access controls, and the same infrastructure as major financial institutions — and we can prove every claim on this page.

How we protect your data

Click any section to see the full technical detail.

Security FAQs

Yes. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Documents are stored with signed, time-limited URLs and are only accessible to you and matched lenders. Our infrastructure runs on SOC 2 Type II certified providers.

Multiple layers: Cloudflare's enterprise WAF and DDoS protection at the edge, strict Content Security Policy headers blocking XSS and code injection, rate limiting on all public endpoints, parameterised queries eliminating SQL injection, timing-safe secret comparisons preventing side-channel attacks, and server-side enforcement of all role assignments and access controls — the database rejects any direct modification attempts from the client.

Passwordless authentication via magic links and Google OAuth 2.0. No passwords are stored — eliminating password breach risk entirely. Every request is validated server-side with cryptographically signed JWTs. Role assignments are processed exclusively through server-side functions with strict input validation — privileged roles like admin cannot be self-assigned under any circumstances. Lender access requires a formal application and manual approval by an Assesr admin, enforced by a database-level trigger that rejects unapproved lender role grants. Sensitive actions require re-authentication within 30 minutes.

Only you and lenders matched to your deal. Documents use signed, time-limited URLs that expire automatically. Every access request is verified against the document owner server-side. Lenders excluded by mandate criteria never see your deal or documents.

Yes. Every file goes through three-layer validation: extension check, MIME type verification, and binary magic byte analysis confirming the content matches the claimed type. A malicious file disguised as a PDF is rejected because its binary signature doesn't match.

All payments are processed by Stripe — PCI DSS Level 1 certified, the highest security level. Card numbers and payment credentials never touch our servers. Every Stripe webhook is cryptographically verified before processing.

Yes. We follow data minimisation principles, support the right to erasure with self-service account deletion (30-day soft-delete with one-click restore, then automatic permanent purge), encrypt everything at rest and in transit, and our infrastructure providers maintain SOC 2 Type II certification.

When you delete your account, nothing is permanently destroyed. Your data moves to a secure 30-day bin — you can sign back in and restore everything with one click at any time. This protects you from impulsive decisions, accidental clicks, and account takeover attacks. After 30 days, data is permanently purged automatically. If you need faster removal for compliance reasons, an admin can hard-delete immediately — but only through a Google re-authentication gate that ensures a real human is making the decision.

This is a deliberate security design. If someone gained access to your account, they could try to permanently destroy your data. The 30-day bin means even a compromised account can't cause irreversible damage — you have a full month to recover. Permanent deletion requires admin-level access with Google re-authentication, creating a human-only gate that no script, AI, or automated tool can bypass. This protects your data even in worst-case scenarios.

Email addresses, phone numbers, and social media handles are automatically detected and redacted from all platform messages — including creative workarounds like spelling out numbers. Contact details are only shared after deal completion.

View all FAQs including 20+ security questions

Questions about security?

We're happy to discuss our security practices in detail, provide additional documentation, or address specific compliance requirements.

Contact our team

Last updated: May 2026