Project DiamondContact

Security

Built to satisfy your auditor — and ours.

Project Diamond stores capitalization tables, financial statements, and finalized 409A reports — material that ends up in front of auditors, tax counsel, and the IRS. The security controls below describe how we protect that data today.

Tenant isolation by default

Every table that holds customer data enforces row-level security keyed on workspace membership. Queries from one workspace cannot read or mutate data from another — the database itself is the boundary, not application code.

Encryption in transit and at rest

All traffic is served over TLS 1.2+. Database storage and managed file storage are encrypted at rest with provider-managed keys. Backups inherit the same encryption.

Authentication & access control

Email + password authentication. Passwords are screened against the Have I Been Pwned breach corpus on signup and password change. Workspace roles (admin, editor, viewer, auditor) gate every privileged action.

Immutable audit trail

Every change to a cap table, financial period, or valuation input writes an audit-log row with the actor, timestamp, and old/new values. Finalized valuations are locked at the database level — they cannot be edited, only superseded by a new version.

Least-privilege backend

Server functions run with scoped credentials, not the service-role key, so a bug in one function can't escalate to read or write across workspaces. Secrets live in the platform secret store, never in source control.

Reporting a vulnerability

If you believe you've found a security issue, please email security@projectdiamond.app with reproduction steps. We acknowledge reports within 2 business days and will keep you updated through remediation. Please do not test against another customer's workspace or attempt to exfiltrate real data.

Subprocessors & infrastructure

Project Diamond runs on Lovable Cloud, which provides managed Postgres, authentication, storage, and serverless compute. Our AI-assisted features call the Lovable AI Gateway. We do not sell customer data and do not use customer financial data to train external models. A current subprocessor list is available on request to security@projectdiamond.app.

On the roadmap

  • · SOC 2 Type II report (in progress).
  • · SAML SSO and SCIM provisioning for Enterprise plans.
  • · Customer-managed encryption keys for finalized reports.