Security at CertLedge

All data is encrypted in transit with TLS and encrypted at rest in our database and file storage. Uploaded certificate files live in a private bucket and are only ever served through signed links that expire after one hour.

• Supabase (database, auth, storage) is SOC 2 Type II compliant.
• Stripe (payments) is a PCI Service Provider Level 1 — the highest level of PCI DSS certification. Card details never touch CertLedge servers.

Every record is scoped to your company with database-level row security, enforced by the database itself rather than application code. One customer can never read, modify, or even enumerate another customer's data — including uploaded files.

If you cancel, your data is retained for 90 days so you can come back without losing anything, then permanently deleted. You can export all of your employees and certifications as CSV at any time from Settings, and audit-ready PDF reports are always one click away. Account deletion from Settings removes everything immediately.

CertLedge runs on globally distributed, redundant infrastructure with a target uptime of 99.9%. Current status is published on our status page.

Found a security issue? We want to hear about it. Email [CONTACT EMAIL] with details and we will respond within 2 business days. We ask that you give us reasonable time to remediate before public disclosure, and we will credit good-faith reporters.