TheDuckPLATFORM
Sign InRequest access

Security & Trust

Security is foundational to how TheDuck Platform is built. We handle your business data with care, and we believe in being straightforward about exactly what we do — and don’t — claim. This page describes our security posture as it stands today.

How we protect your data

  • Tenant isolation. Each customer’s data is isolated to their own account, separated from every other customer’s data.
  • Encryption. Data is encrypted in transit (TLS) and at rest.
  • Row-level security. Database-level access rules act as a defense-in-depth backstop around our application controls.
  • Multi-factor authentication. Accounts can be protected with two-factor authentication using an authenticator app or an emailed one-time code.
  • Least-privilege access. Access to systems and data is limited to what is needed to operate and support the Service, and sensitive credentials are handled server-side, never exposed to the browser.
  • Controlled, logged access. Access to customer data through the Platform is controlled and logged, and can be made available for your audit on request.

Enterprise-grade infrastructure

TheDuck is built on infrastructure from established providers who maintain their own independent security programs and industry certifications (such as SOC 2). These include Supabase, Vercel, Stripe, and Plaid. Building on certified infrastructure means your data benefits from the security investments of these providers, in addition to our own controls.

Our data-handling commitment

We know that trust is everything when you put your business data into a platform. Our commitment is simple and direct:

  • Your data belongs to you.
  • We access it only as needed to operate, support, and secure the Service for you.
  • We never use your data for any other business, and we never use it to compete with you.
  • We never sell your data.

Responsible disclosure

If you believe you’ve found a security vulnerability, we want to hear from you. Please contact us at security@theduckplatform.com so we can investigate and respond.

A note on certifications

We describe only the security practices we actually have in place, and we attribute industry certifications to the infrastructure providers that hold them, rather than claiming certifications we do not. As TheDuck grows, our security program will continue to mature.

Questions about security or data handling? Reach us at privacy@theduckplatform.com.