Security Policy

Effective date: April 13, 2026

Our Security Commitment

At SplitRun (operated by Deliquio CA Inc. d/b/a SplitRun), we understand that commission and compensation data is mission-critical and sensitive. We have designed our platform with security-first principles to protect your data, maintain your trust, and meet enterprise standards for confidentiality, integrity, and availability.

This Security Policy describes how we secure SplitRun, our infrastructure, applications, and your data. It is intended for enterprise and RevOps leaders evaluating the platform.

Infrastructure Security

Cloud Hosting & Data Centers

• Geographic Data Residency: All SplitRun data is hosted exclusively in US-based data centers. We do not store or process customer data outside the United States.
• Vercel Platform: Application and API hosting via Vercel, a SOC 2 certified infrastructure provider with global edge network and DDoS protection. Production traffic is routed through Vercel's TLS 1.2+ secured CDN.
• Database & Authentication: Supabase (managed PostgreSQL) handles all data storage and authentication. Supabase maintains SOC 2 Type II certification and applies industry-standard security practices.

Encryption at Rest

• Database Encryption: All data at rest in Supabase PostgreSQL is encrypted using AES-256 encryption. Keys are managed by Supabase's infrastructure.
• Sensitive Data Fields: Commission rates, agent compensation details, and other highly sensitive data are encrypted at the application layer using industry-standard encryption libraries.

Encryption in Transit

• TLS 1.2+: All communication between clients, Vercel edge servers, and backend services uses TLS 1.2 or higher encryption. We do not allow unencrypted (HTTP) connections to SplitRun.
• Certificate Management: SSL/TLS certificates are provisioned and renewed automatically via industry-standard certificate authorities.

Application Security

Authentication & Session Management

• Primary Authentication: Supabase email/password authentication with secure password hashing (bcrypt).
• Server-Side Sessions: Session tokens are managed server-side and issued as secure, httpOnly cookies. Session data is never exposed to client-side JavaScript, preventing XSS attacks from stealing credentials.
• Session Expiration: Sessions expire after a period of inactivity. Users must re-authenticate for sensitive operations.

Role-Based Access Control (RBAC)

SplitRun implements a four-tier role system with granular permissions:

• Superadmin: Full platform access, user management, billing, audit logs. Typically limited to company owners or HR leadership.
• Admin: Organization management, team structure, compensation rules, and user management within the organization. Typically HR or RevOps lead.
• Viewer: Read-only access to dashboards and reports. No ability to modify data or configurations.
• Agent: Limited access to personal commission data and payroll information. Cannot view other agents' compensation or modify any system settings.

Row-Level Security (RLS)

• Database-level row-level security enforces access control at the PostgreSQL layer, ensuring users can only access data their role permits, regardless of API bypasses.
• Organization data is strictly isolated—users in Org A cannot access Org B's data, even if they somehow bypass the application layer.

Input Validation & XSS Prevention

• Zod Schema Validation: All user inputs are validated against strict Zod schemas on the server. Invalid inputs are rejected before processing.
• Output Encoding: All data rendered in templates is HTML-encoded, preventing stored and reflected XSS attacks.
• Content Security Policy (CSP): Strict CSP headers limit the execution of scripts, reducing XSS impact.

CSRF Protection

• All state-changing requests (POST, PUT, DELETE) are protected by CSRF tokens. Vercel's framework handles CSRF token generation and validation automatically.

API Security

• Rate Limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse.
• Authentication: All API endpoints require valid session cookies or bearer tokens. Unauthenticated requests are rejected.

Data Access & Least Privilege

Principle of Least Privilege

• Users are granted only the minimum permissions necessary to perform their role. Superadmin access is intentionally difficult to obtain and requires multiple stakeholders.
• Service accounts and API keys (if used) are scoped to specific functions and rotated regularly.

Organization-Level Data Isolation

• SplitRun is a multi-tenant platform. Each organization's data is logically isolated and encrypted separately. A superadmin can only access their own organization unless explicitly granted cross-org access (audited).

Agent Portal Restrictions

• Agents can only view their own compensation details, payout history, and commission statements. They cannot access:
  • Other agents' data or commissions
  • Compensation rate structures or rules
  • Organizational configuration or audit logs

Monitoring, Logging & Auditing

Audit Trails

• Critical actions (user role changes, compensation rule updates, bulk payouts, org structure changes) are logged with timestamps and user identity.
• Audit logs are immutable and retained for at least 12 months.
• Superadmins can access audit logs via the platform; logs are also available to Deliquio via secure backend access for forensic purposes.

Automated Monitoring

• Billing Integrity: Vercel cron jobs periodically verify commission calculations and payout records against the source of truth, detecting anomalies or corruption.
• Uptime & Performance: Vercel provides real-time monitoring and alerting for application performance and availability.
• Error Tracking: Application errors are logged and reviewed regularly to identify security issues or bugs.

Incident Response

Detection & Escalation

• We monitor logs and alerts for signs of unauthorized access, data breach, or system compromise.
• Suspected security incidents are escalated immediately to our security team.

Containment & Notification

• Upon confirmation of a breach affecting customer data, we take immediate steps to contain the incident (e.g., revoking compromised credentials, isolating affected systems).
• Affected customers are notified within 72 hours with details of the breach, data impacted, and recommended actions.
• We also notify relevant regulators if required by law.

Post-Incident Review

• After any security incident, we conduct a post-mortem to identify root causes and implement preventive measures.
• Findings are shared with customers and used to improve our security practices.

Vulnerability Management

Dependency Updates

• We regularly scan dependencies (npm packages, system libraries) for known vulnerabilities using automated tools.
• Security patches are prioritized and applied within 48 hours of release. Critical vulnerabilities are patched immediately.

Code Review & Testing

• All code changes are reviewed by the development team before merging into production.
• Security-sensitive code (authentication, encryption, access control) receives additional scrutiny.
• We perform regular security testing, including automated SAST (static application security testing).

Third-Party Penetration Testing

• SplitRun undergoes annual independent security audits and penetration testing by qualified security firms.
• Results are reviewed and addressed promptly. Findings and remediation are documented.

Third-Party Security & Compliance

Service Provider Certifications

• Supabase: SOC 2 Type II certified, ensuring secure infrastructure, access controls, and data handling.
• Vercel: SOC 2 Type II certified with proven track record hosting millions of applications.
• Stripe: PCI DSS Level 1 certified. Handles payment card processing securely. SplitRun never directly handles credit card data.
• Resend: Used exclusively for transactional email (payroll confirmations, notifications). Email data is encrypted in transit and at rest.

Vendor Assessment

• We regularly assess our vendors' security posture, certifications, and incident history.
• Vendor agreements include data protection and incident notification requirements.

Data Retention & Disposal

Data Retention

• Commission data is retained as long as your account is active. Upon request, you can export your data in standard formats.
• Audit logs are retained for at least 12 months.
• Backup copies are retained for 30 days to support disaster recovery.

Account Deletion & Data Disposal

• Upon account termination or request, all customer data is securely deleted from production databases and backups within 90 days.
• Deletion is performed using cryptographic erasure (keys are destroyed) to ensure data is unrecoverable.
• We provide a deletion certificate upon completion.

Responsible Disclosure

If you discover a security vulnerability in SplitRun, please report it to us responsibly rather than disclosing it publicly.

• Email: security@splitrun.io
• What to include: Description of the vulnerability, proof of concept (if safe), and steps to reproduce.
• Our commitment: We will acknowledge your report within 48 hours, keep you informed of progress, and credit you publicly (if desired) once the vulnerability is patched.

Contact & Support

For security questions, concerns, or to request a security assessment or audit report, please contact us:

• Email: support@splitrun.io
• Website: splitrun.io
• Organization: Deliquio CA Inc. d/b/a SplitRun

Policy Updates

We may update this Security Policy to reflect changes in our infrastructure, practices, or applicable laws. The effective date at the top of this page indicates when the policy was last updated. We encourage you to review this policy periodically.