Trust & Security
ShipReady Metrics reads the confidential signal inside your engineering, cloud, and security systems. It’s built security-first — here is exactly how your data is isolated, protected, and used.
Infrastructure & architecture
ShipReady Metrics is a multi-tenant SaaS built on managed, independently-audited cloud infrastructure. Every request crosses three layers, and your data is isolated at each.
- Browser boundaryEvery response is served over HTTPS/TLS and carries hardened security headers — a per-request Content-Security-Policy with a script nonce and strict-dynamic, HSTS (preloaded), X-Frame-Options: DENY, and X-Content-Type-Options: nosniff. Plaintext transport is never used for your data.
- Application (Vercel)The application runs on Vercel's managed platform behind a global CDN. Every request is authenticated and authorized server-side before any data is read; role-based access control (admin / engineer / executive) gates privileged actions.
- Database & storage (Supabase)Tenant data lives in a managed Postgres database. Isolation is enforced in the database by row-level security, so a query can only ever return your organization's rows. Bulk data is encrypted at rest by the managed platform (AES-256); connector tokens are additionally encrypted by the application with AES-256-GCM and are readable only by the service role.
Every change ships through continuous integration that runs type-checking, linting, tests, a production build, an automated database-grant audit, and a tenant-isolation test suite (which re-applies every migration from scratch and asserts cross-tenant reads are denied) before it reaches production. A detailed security architecture overview is available for enterprise review — contact info@persooninc.com.
Subprocessors
The third parties that process data on our behalf, and what each is used for.
- Supabase
- Managed Postgres database, authentication, and storage
- Vercel
- Application hosting and content delivery
- Resend
- Transactional email (sign-in, invitations, digests)
- Anthropic
- AI Security Audit — finding metadata, on demand only
- Google Analytics
- Website analytics — public marketing pages only, consent-gated
- Microsoft Clarity
- Website session analytics — public marketing pages only, consent-gated
Compliance & vulnerability disclosure
The practices above are how the product is built today. For a Data Processing Agreement, subprocessor change notifications, or the current status of formal certifications, contact info@persooninc.com. Report a security issue via the report form or our security.txt, and see live availability on the status page.
See it on your own data
Connect a source and your Executive Overview populates as the first sync completes — about a minute for small orgs, several minutes for large estates.
Get startedRolling this out for a larger org? Talk to us about enterprise.