Data Security and Access Guidelines

Last updated: Septempber 2025

Headcount, LLC provides advanced AI agents for clients in various industries, transforming data into actionable insights and producing artifacts like reports and content.

We recognize that our clients, especially in regulated sectors like wealth management (subject to SEC oversight) and healthcare (HIPPA), entrust us with sensitive data. This document outlines our security and privacy framework, which is designed to protect client data, ensure regulatory alignment, and build trust.

Our approach is based on industry best practices from leading vendors and standards (e.g., SOC 2, GDPR). We are building our platform with a clear strategy: leveraging our current, secure stack (Vercel, Supabase) for agility while executing a strategic migration to Google Cloud Platform (GCP) and Vertex AI to provide an enterprise-grade, compliant environment for our scaling clients.

Note: Everything below assumes Enterprise Security Offering (SEC / SOC 2 Baseline) from the Security Offerings tier

Core Security Principles

Our security architecture is built on three foundational principles:

  1. Data Minimization and Purpose-Bound Storage We adhere strictly to the principle of data minimization. We only process the data required to execute a specific task (e.g., via APIs for external data, forms for internal data). While intermediate processing is ephemeral, we acknowledge that the final assets we generate (e.g., reports) may contain sensitive client-customer data as specified by the task customer requirements. This output data is the only client-customer data we store, and it is stored securely in the client's dedicated database.

  2. Logical and Data-Level Isolation We operate on a single-tenant architecture. Each client is provisioned with a dedicated, segregated database instance. This ensures that one client's data is never co-mingled with another's. This data-level isolation is enforced at the network level using logically isolated environments (e.g., Virtual Private Clouds or VPCs), eliminating the risks associated with shared infrastructure.

  3. Transparency and Shared Responsibility We operate as a Data Processor on behalf of our clients, who act as the Data Controllers. We provide clients with transparent Data Processing Agreements (DPAs) that clearly define our roles, responsibilities, and data handling procedures. Clients retain full ownership and audit responsibility for their inputs and outputs, and we provide the necessary audit logs and platform controls to support their compliance obligations.

Security Controls

We implement layered defenses across our entire architecture to protect client data.

  • Authentication & Authorization: We enforce Multi-Factor Authentication (MFA) for all client and admin access. Role-Based Access Control (RBAC) ensures users only have access to the data and functions necessary for their roles (e.g., via Supabase Auth, migrating to GCP Identity and Access Management (IAM) for enterprise tenants).

  • Encryption: All data is encrypted end-to-end. Data in transit is protected using TLS 1.3, and data at rest (including generated reports and database backups) is encrypted using industry-standard AES-256.

  • Network & Access Controls: We use perimeter defenses like DDoS protection and rate limiting (via Vercel Edge Middleware or GCP Cloud Armor). Our single-tenant model, with client-dedicated databases and VPCs, is our primary network control, preventing any possibility of cross-client data access.

  • AI-Specific Protections: As we integrate with GCP Vertex AI, we will leverage its native prompt-management tools, content filters, and safety attributes for PII detection and jailbreak prevention. We will also integrate GCP's Cloud Data Loss Prevention (DLP) API to scan inputs and outputs for sensitive data before processing, without requiring storage.

Privacy and Compliance

Our compliance strategy is designed to meet the high bar of financial regulations (like SEC Reg S-P) and broad data privacy laws (like GDPR/CCPA).

  • Compliance Roadmap: Our roadmap includes achieving SOC 2 Type 1 certification as a foundational attestation of our controls. Our subsequent migration to GCP Assured Workloads will help accelerate our path to SOC 2 Type 2 and provide automated, SEC-aligned controls for our wealth management clients.

  • Data Processing Agreements (DPAs): We provide standardized DPAs that clearly outline our ephemeral processing, purpose-bound storage, and sub-processor lists.

  • Data Rights Management: Clients have control over the assets we generate. Our platform allows clients to access, export, or delete generated reports from their dedicated database on demand.

  • No Model Training: We never train third-party AI models on client data. All AI processing is done using private instances with zero data retention by the model vendor.

Technology Stack and Security Roadmap

Our stack is chosen for security, compliance, and scalability.

  1. Current Stack (Foundation)

    • Supabase: Used for its dedicated PostgreSQL instances (providing our core data-level isolation), secure authentication (Auth), and encrypted secret management (Vault).

    • Vercel: Provides DDoS protection, a global edge network, and secure serverless functions for our application logic.

    • GitHub: Used for CI/CD with mandatory branch protection, secret scanning (e.g., Dependabot), and code review policies.

  2. Enterprise Roadmap (GCP Migration) As we onboard enterprise and regulated clients, we will migrate their instances to GCP to leverage its advanced capabilities:

    • GCP Vertex AI: Provides a secure, managed AI platform with zero-data-retention pipelines and robust orchestration tools.

    • GCP Operations Suite (Stackdriver): For centralized logging and monitoring, allowing for workflow audits without logging the sensitive data itself.

    • GCP Security Command Center: For automated threat detection and incident response.

    • Compliance Automation: We will integrate a tool like Vanta or Drata to streamline and continuously monitor our SOC 2 compliance.

Deployment Model: Hosted Single-Tenancy

We provide a hosted, single-tenant architecture managed by Headcount. This model provides the optimal balance of high security, performance, and maintainability for our clients.

This model includes:

  • Dedicated VPC Isolation: Each client's application and database services run within their own logically isolated Virtual Private Cloud (VPC), managed by us on GCP.

  • Dedicated Database Instances: Fully segregated PostgreSQL instances per client ensure data cannot be mixed.

  • Ephemeral Data Processing: Real-time processing of inputs without persistent storage of the raw source data.

  • Secure Perimeter: VPC Service Controls and firewalls block all unauthorized traffic and confine AI agent workflows to approved client endpoints.

Security Offerings

We provide tiered security packages to meet diverse client needs, from startups to large, regulated financial institutions.

1. Standard Security Offering (Foundational Package)

This is our baseline package for all clients, built on a secure, modern, single-tenant architecture.

  • Technology: Vercel + Supabase

  • Key Features:

    • Dedicated Database Instances: Each client gets a fully segregated PostgreSQL database. Your data is never co-mingled.

    • Logical Network Isolation: Your app services are logically isolated to prevent cross-client data flows.

    • Encryption: Full TLS 1.3 for data in transit and AES-256 for data at rest (including database backups).

    • Core Controls: Enforced MFA, RBAC, and DDoS protection via Vercel Edge.

2. Enterprise Security Offering (SEC / SOC 2 Baseline) (Note: The technical overview above, from 'Core Security Principles' to 'Deployment Model', describes this Enterprise-tier architecture.)

This package is designed for clients in regulated industries (like wealth management) who require programmatic compliance and data residency controls. It includes all Standard features, with the entire environment migrated to a "compliance-in-a-box" on GCP.

  • Technology: Google Cloud Assured Workloads

  • Messaging: "We deploy your entire solution into a dedicated 'vault' that programmatically enforces SOC 2 and SEC data residency rules by default."

  • Key Features:

    • Enforced Data Residency: Guarantees all data (at rest) for that client stays within a specific geographic region (e.g., "US only").

    • Controlled Support Access: Ensures any Google support staff who might need to access the environment meet specific requirements (e.g., are US-based personnel).

    • Restricted Services: Automatically disables any GCP services that are not certified for that specific compliance standard, preventing accidental non-compliance.

3. Premium Enterprise Upgrades (Top-Tier Options)

For enterprise clients who require the highest level of security and auditability, we offer these add-ons on top of the Enterprise Security Offering.

  • Upgrade 1: Confidential AI Processing

    • Technology: Google Cloud Confidential Computing

    • Messaging: "Your data is encrypted even while the AI is processing it. This means no one—not even us, not even Google—can 'see' your raw data inside the AI model."

    • How it works: We run your AI models on Confidential VMs, which encrypt data in-memory while it's being used. This provides hardware-level isolation within a "Trusted Execution Environment."

  • Upgrade 2: Premium Audit & Threat Detection

    • Technology: Google Cloud Security Command Center (Premium Tier)

    • Messaging: "We provide a 24/7 dashboard that monitors for threats, detects misconfigurations, and automatically generates compliance reports for your auditors."

    • Key Features:

      • Compliance Manager: Continuously scans your environment against SOC 2 standards.

      • Audit Manager: Helps generate the specific evidence you need to pass your SOC 2 audit.

      • AI Protection: Scans Vertex AI for prompt injection threats and sensitive data leakage.