Security
How we handle your data.
Short, honest, current. We will expand this page as our compliance program matures. If you need anything that is not covered here, email security@parallaxmodel.com.
Encryption at rest
Data at rest is encrypted with AES-256 via our managed database provider, Neon. Backups inherit the same encryption.
Encryption in transit
All traffic to parallaxmodel.com uses TLS 1.3 with HSTS. We do not serve any content over plain HTTP.
Authentication
Sign-in is managed by Clerk. Email and password, social SSO, SAML SSO, and MFA are all supported. SSO is available on every plan, including the trial.
Data residency
Parallax is hosted in the United States. An EU-only region is available on the Enterprise plan for customers with residency requirements.
SOC 2 status
SOC 2 Type II is on our roadmap. We are pre-audit — no auditor is engaged yet and no controls framework has been formalized. Here is what we do today to protect your data: row-level security for per-org tenant isolation on every tenant table defined today, AES-256 encryption at rest via our managed database, TLS 1.3 in transit, principle of least privilege on internal access, audit logs on membership and billing changes, and no use of customer data for foundation-model training. A custom DPA is available on request.
Data deletion and export
Contact support@parallaxmodel.com to request a full org export or permanent deletion. Deletion requests are honored within 30 days and all backups are purged within the standard retention window.
Model training
We never sell your data. We never train foundation models on your data. Coaching prompts are generated by Anthropic models with data retention turned off at the API level.
Subprocessor list
We notify existing customers by email at least 30 days before adding a new subprocessor.
| Subprocessor | Purpose | Region |
|---|---|---|
| Neon | Managed Postgres database | United States |
| Clerk | Authentication and user management | United States |
| Anthropic | LLM inference for coaching prompts | United States |
| Vercel | Web application hosting and edge delivery | Global |
| Stripe | Billing and payment processing | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error and performance monitoring | United States |
| PostHog | Product analytics (event capture and identify). Session replay and autocapture are disabled. | United States |
Placeholder note
This page will grow into a full trust center once we begin a formal SOC 2 Type II audit. For now it reflects the controls we actually run today. Last updated 2026-04-14.