Security
How your data is protected.
An honest description of the security posture — what is in place today, without certifications we don't hold.
Last updated: July 7, 2026
Authentication
Sign-in is handled by Clerk, a dedicated managed authentication provider — CaptureCore never sees or stores your password. Sessions are validated server-side on every request, and administrative functions require an explicitly granted admin role that fails closed.
Data isolation
Every workspace record — opportunities you track, pipeline items, proposals, evidence, submissions — is scoped to your company, and that scoping is enforced in server-side authorization on every API route and page, not in the browser. Cross-company access is denied by default and covered by the automated test suite.
Payments
Billing runs on Stripe. Your card number is entered on Stripe's PCI-compliant checkout and never touches CaptureCore's servers; webhook messages from Stripe are signature-verified before they change anything.
No government portal credentials
The strongest security control is not holding the data at all: CaptureCore never collects, stores, or transmits credentials for SAM.gov, GSA eBuy, FedConnect, PIEE, or any government system. There are no database fields for portal credentials, and an automated test fails the build if one is ever added.
Infrastructure
CaptureCore is served over HTTPS on Vercel with data stored in Supabase-managed Postgres, both encrypted in transit. We deliberately do not claim compliance certifications (such as SOC 2 or FedRAMP) that we have not earned; if that changes, this page will say so.
Reporting a concern
If you believe you have found a security issue, contact us through the email address on your billing receipt and we will prioritize it. (A dedicated security contact address is being set up and will be published here.)
Related: Privacy · Terms · Security · Data Sources · Disclaimer