Security & Compliance

Trust Center

Your spreadsheets contain sensitive data. Here's exactly how we handle it, and why you can trust our infrastructure.

Security principles

Ephemeral processing

Uploaded files are processed in memory by our Java service and immediately discarded. We never write your files to disk. The parsed JSON is stored in an encrypted session with a 30-minute TTL, then automatically deleted.

Encryption everywhere

All data in transit uses TLS 1.2+. Data at rest (sessions, account info) is encrypted with AES-256in Supabase. API keys are hashed with bcrypt before storage — we cannot read them.

No data mining

We do not inspect, analyze, or use your file contents for any purpose beyond providing the Service. We do not train AI models on your data. We do not sell or share your data with third parties.

Minimal data collection

We collect only what's needed: email for auth, usage counters for billing. No third-party trackers, no analytics cookies, no advertising. See our Privacy Policy for the full list.

Password handling

If you upload a password-protected workbook, the password is used in-memory for decryption by Apache POI and never stored, logged, or transmitted beyond the processing service.

Authentication

User authentication is managed by Supabase Auth using industry-standard OAuth 2.0 (Google) and magic links. API keys use bearer tokens over HTTPS. All auth flows enforce PKCE where applicable.

Infrastructure partners

We build on best-in-class cloud platforms so we can focus on the product, not on reinventing security. Each partner maintains rigorous compliance programs independently audited.

Vercel

Web hosting, API routing, edge network

Our Next.js application runs on Vercel's edge network, providing global low-latency access. Vercel maintains SOC 2 Type II compliance and undergoes regular third-party security audits.

All traffic is served over HTTPS with automatic TLS certificate management. DDoS protection is built into the edge layer.

SOC 2 Type IIISO 27001GDPRHIPAA eligible

Supabase

Authentication, database, session storage

Supabase manages our authentication (OAuth, magic links), PostgreSQL database, and session storage. Built on AWS infrastructure with encryption at rest (AES-256) and in transit (TLS).

Row Level Security (RLS) ensures users can only access their own data. Database backups are encrypted and retained per our retention policy.

SOC 2 Type IIHIPAAGDPR
🚂

Railway

Java Excel processing service

Our Apache POI + LibreOffice processing runs on Railway as an isolated container. Files are received via internal service-to-service calls (authenticated with a shared secret), processed in memory, and the response returned. No file data is persisted.

The service runs in a sandboxed Docker container with no persistent storage attached. Cold starts provision a fresh environment each time.

SOC 2 Type IIGDPR
💳

Stripe

Payment processing

All payment processing is handled by Stripe. We never see, store, or process credit card numbers. Stripe is a PCI DSS Level 1 certified service provider — the highest level of certification in the payments industry.

Subscription management, invoicing, and refunds are all handled through Stripe's secure infrastructure.

PCI DSS Level 1SOC 2 Type IIISO 27001GDPR

Data flow

Your AI agent                    Vercel (API)                Railway (Java)              Supabase
    │                               │                           │                          │
    ├── upload(file) ──────────────►│                           │                          │
    │                               ├── POST /convert ─────────►│                          │
    │                               │   (file bytes + secret)   │                          │
    │                               │                           ├── Decrypt (if needed)    │
    │                               │                           ├── Convert .xls → .xlsx   │
    │                               │                           ├── Recalculate formulas   │
    │                               │                           ├── Parse with Apache POI  │
    │                               │◄── JSON response ─────────┤                          │
    │                               │                           │  (file bytes discarded)  │
    │                               │                           │                          │
    │                               ├── Store session JSON ────────────────────────────────►│
    │                               │   (encrypted, 30min TTL)  │                          │
    │◄── sessionId ─────────────────┤                           │                          │
    │                               │                           │                          │
    ├── ls / cat / grep ───────────►│                           │                          │
    │                               ├── Read session JSON ─────────────────────────────────►│
    │                               │◄─────────────────────────────────────────────────────┤
    │◄── results ───────────────────┤                           │                          │

File bytes only exist in memory during the Railway processing step. After parsing, only the structured JSON representation is retained (with a 30-minute TTL).

Frequently asked questions

Do you store my Excel files?

No. Files are processed in memory and discarded. We only store the parsed JSON representation in an encrypted session that expires after 30 minutes.

Can your employees see my data?

Session data is encrypted at rest. We do not have tooling to browse user sessions. Access to infrastructure is restricted to the engineering team with MFA-protected accounts.

Where is my data physically located?

Supabase runs on AWS US regions. Railway runs on US infrastructure. Vercel serves from the nearest edge location. All inter-service communication uses TLS.

Are you GDPR compliant?

Yes. We minimize data collection, provide data export and deletion on request, and all our sub-processors maintain GDPR compliance. Our entity (Dalae SAS) is incorporated in France and subject to EU data protection law.

What happens if I upload a password-protected file?

The password is transmitted over TLS to the processing service, used in-memory to decrypt the file via Apache POI, and immediately discarded. It is never logged, stored, or transmitted to any other system.

Questions about security? Reach out.

Contact security@dalae.fr