How NarrEx handles your data.

NarrEx is deployed on Railway (cloud infrastructure). All application data is stored in Supabase (PostgreSQL), running on AWS infrastructure in the EU (eu-west-1 region). Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Supabase maintains SOC 2 Type II certification on their infrastructure layer.

NarrEx uses the following third-party subprocessors:

Document content sent to Anthropic's API is processed under Anthropic's data processing terms. Anthropic does not use API inputs to train or fine-tune models by default. Raw document content is not retained by Anthropic beyond the duration of the API call.

Two subprocessors (Anthropic and Formspree) are located in the United States. The transfer of data to these subprocessors is governed by the following mechanisms under GDPR Chapter V:

Anthropic — transfers are governed by Anthropic's Standard Contractual Clauses (SCCs) adopted pursuant to Article 46(2)(c) GDPR. Anthropic maintains appropriate supplementary technical measures including encryption in transit and access controls. A copy of Anthropic's SCCs is available at anthropic.com or on request from NarrEx at contact@narrex.app.

Formspree — contact form submissions contain only name and email address submitted voluntarily. Transfers are governed by Formspree's Standard Contractual Clauses. No deal materials or confidential data are transmitted to Formspree.

For questions about international transfer mechanisms or to request copies of applicable SCCs, contact contact@narrex.app.

• Investment materials (PDFs) and financial models (XLSX) uploaded for analysis are processed server-side within your firm environment.
• Extracted claims and credibility scores are stored in your firm's database partition.
• By default, uploaded documents are processed and discarded immediately after analysis completes. Raw investment materials and financial models are not retained after processing unless a firm has expressly enabled secure retention for audit purposes. Analysis outputs (scores, claims, IC reports) are retained in your firm account for the duration of the arrangement.
• NarrEx staff do not access firm data except where explicitly required for support, and only with your permission.
• All analyses are firm-scoped — only members of your firm account can access your data.

• Access to NarrEx requires a firm-specific access code issued directly by the NarrEx team, together with authenticated user sessions for registered users.
• Within each firm account, role-based access (Admin and Analyst) controls who can invite new members and manage firm settings.
• Sessions are managed via secure HTTP-only cookies with server-side token validation.
• There is no public registration — all accounts are provisioned by NarrEx directly.

Data Isolation

Each firm account on NarrEx operates in complete data isolation. It is technically impossible for one firm's analyses, uploaded documents, or results to be accessed by another firm. Isolation is enforced at the database query level, not only at the application layer.

NarrEx uses the Anthropic Claude API for narrative claim extraction. Document content is transmitted to Anthropic's API over TLS for processing. NarrEx operates at temperature=0 for deterministic, reproducible outputs. Anthropic does not use API inputs for model training by default. Extracted claims, scores, and analysis outputs are stored in your firm account on Supabase infrastructure. NarrEx does not use your deal data to train, fine-tune, or improve any AI model.

Current status:

• Supabase (our database provider) maintains SOC 2 Type II certification
• Data stored in EU region (AWS eu-west-1)
• TLS 1.2+ encryption in transit
• AES-256 encryption at rest

Roadmap:

• SOC 2 Type II for NarrEx application layer — targeted for 2027 as we scale beyond the current early access phase
• Data Processing Agreement (DPA) available on request where NarrEx acts as a processor for customer data
• GDPR compliance documentation available on request

DPA and Compliance Documents

A Data Processing Agreement (DPA) compliant with GDPR Article 28 is available on request where NarrEx acts as a processor for customer data. Download the current version or request a bespoke DPA at contact@narrex.app. Download DPA (PDF)

We are happy to complete InfoSec questionnaires and security reviews for institutional teams. Contact contact@narrex.app.

In the event of a confirmed security incident affecting firm data, NarrEx will notify affected firms within 72 hours of discovery. Notification will be sent to the Admin email address on the firm account. For security disclosures or vulnerability reports, contact contact@narrex.app directly.

Responsible Disclosure

If you discover a security vulnerability in the NarrEx platform, please report it responsibly to contact@narrex.app. We commit to acknowledging receipt within 48 hours and providing a status update within 7 days. We will not take legal action against good-faith security researchers.

For security reviews, InfoSec questionnaires, DPA requests, or data deletion requests, contact us at contact@narrex.app. We aim to respond to institutional security reviews within 2 business days.