Security & Compliance
Enterprise-grade. FCRA-compliant. Your contractors' data handled to infrastructure standards.
Business verification handled outside FCRA consumer-report territory.
Data encrypted at rest across our managed database and storage.
Modern transport encryption on every request to and from our edge.
Audit in progress — target Q3 2026. Not yet certified.
Data architecture
How data flows, where it is stored, and who can reach it. Verification draws from public records and licensed sources; we store what is needed to render a sourced, auditable report.
Ingest
Public records, licensed datasets, and official portals are queried per request. Source attribution is captured with each signal.
Store
Production data lives in managed Supabase Postgres and Vercel infrastructure, encrypted at rest with AES-256.
Access
Role-based access control, least-privilege by default. Every access and state change is written to an audit log.
Serve
Reports are delivered over TLS 1.3. Evidence is traceable back to its original source so any verdict can be checked.
FCRA compliance
Entity verification (the default)
Verifying a business — license status, registration standing, court judgments, and entity history — is commercial verification. It is nota consumer report under the FCRA, because it does not assess an individual’s eligibility for credit, employment, insurance, or housing.
Individual checks (when required)
Where an individual background check is genuinely required, it is performed through a licensed Consumer Reporting Agency under FCRA permissible-purpose rules — with the disclosures, consent, and adverse-action steps the FCRA requires. We do not blur the two.
The full legal framing — permissible purpose, consumer rights, and adverse-action handling — lives on our compliance page.
Encryption
At rest — AES-256
Production database and object storage are encrypted at rest with AES-256, standard across our managed Supabase infrastructure.
In transit — TLS 1.3
All traffic between clients, our edge, and backend services is encrypted in transit using modern TLS, standard across our Vercel edge.
Data retention & deletion
We retain verification records and their source attribution only as long as needed to render a traceable report, meet legal obligations, and support disputes. Evidence is retained with its source so any signal in a report can be checked after the fact.
Deletion requests are honored per applicable law (see CCPA / GDPR below). On a valid request we delete or de-identify the relevant records and confirm completion. Email security@earthmove.io or use the request flow on /compliance.
CCPA / GDPR
California (CCPA) and EU/EEA (GDPR) data subjects can exercise the rights the law provides — access, correction, deletion/erasure, portability, and do-not-sell. We do not sell personal information. Submit a request to security@earthmove.io or via /compliance; we verify identity, then respond within statutory timelines.
Security operations
Penetration testing
RoadmapIndependent third-party penetration testing is planned on an annual cadence alongside the SOC 2 program. We will publish the most recent test window here once the first engagement completes — we do not claim prior pen-test results we don’t have.
Incident response
Target 72 hoursWe maintain an incident-response process with a target of notifying affected customers of a confirmed data breach within 72 hours of confirmation, consistent with GDPR-style breach-notification timelines.
SOC 2 roadmap
In progress — Q3 2026A SOC 2 Type II audit is underway with a target completion of Q3 2026. We are not yet SOC 2 certified and do not represent ourselves as such; report status will be published here when the audit window closes.
Access controls
In placeRole-based access control (RBAC) with least-privilege defaults, plus audit logs that record access and every load-bearing state change so actions can be traced and reviewed.
Compliance matrix
Where each framework stands today. “In progress” and “Roadmap” are stated honestly — they are not claims of certification.
| Feature | Status | Detail |
|---|---|---|
| FCRA (entity / commercial verification) | Compliant | Business checks are not consumer reports; individual checks route through a licensed CRA. |
| CCPA (California consumer privacy) | Compliant | Access, deletion, and do-not-sell rights honored. |
| GDPR (EU/EEA data subjects) | Compliant | Access, rectification, erasure, and portability on request. |
| Encryption (AES-256 at rest, TLS 1.3 in transit) | In place | Standard across our Supabase / Vercel infrastructure. |
| SOC 2 Type II | In progress | Audit underway — target Q3 2026. |
| Third-party penetration testing | Roadmap | Independent annual cadence planned alongside SOC 2. |
Status reflects current state as of this page's publication. SOC 2 Type II is in progress (target Q3 2026), not certified.
Responsible disclosure
Found a vulnerability? Email security@earthmove.io with details and reproduction steps. We acknowledge reports, investigate in good faith, and will not pursue researchers acting under responsible-disclosure practice. Please give us reasonable time to remediate before any public disclosure.
Security & compliance FAQ
Need an enterprise security review?
We’ll walk your security team through our data architecture, controls, and compliance roadmap.