Security & Compliance

How we protect borrower data.

This page is maintained by Readiness IQ to answer common security, privacy, and compliance questions about the borrower prequalification platform. It is not an independent audit, and describes app-owned controls and enabled platform capabilities rather than a certification.

Access & authentication

Every user account is protected with strong password requirements, leaked-password protection against the Have I Been Pwned database, and role-based access control. Administrative access to borrower data is scoped to named individuals, logged, and reviewed on a regular cadence.

  • Password + optional social sign-in (Google) via Supabase Auth
  • Row-Level Security on every user-facing table
  • Separate SECURITY DEFINER role checks — roles are never stored on the user profile
  • Admin approval workflow for new borrower-facing accounts

Data protection

Borrower data is encrypted in transit and at rest. Sensitive PII is minimized in transactional payloads, and email addresses in system logs are redacted for internal reviews.

  • TLS 1.3 for all traffic between browser, app, and database
  • AES-256 at rest via managed Postgres storage
  • Redacted PII in system logs and support tooling
  • No borrower credit files or credentials stored in application logs

Platform & hosting

Readiness IQ runs on managed cloud infrastructure with globally distributed edge delivery. The database is a managed Postgres cluster with automated daily backups and point-in-time recovery.

  • Managed Postgres with daily backups + PITR
  • Edge-delivered frontend for low latency
  • Isolated preview and production environments
  • Serverless server functions — no long-lived servers to breach

Compliance posture

Readiness IQ is designed to support enterprise mortgage lenders' obligations under TRID, ECOA, GLBA, and applicable state disclosure requirements. This page describes the platform's technical controls; formal certification claims are called out explicitly.

  • TRID / ECOA / GLBA-aware data handling
  • Consent capture and audit trail on every borrower session
  • SOC 2 Type II — on roadmap; not yet certified
  • GDPR — supported for EU-resident inquiries via privacy request workflow

Subprocessors

Readiness IQ uses a short list of vetted subprocessors. A current list can be provided to enterprise customers under NDA during procurement.

  • Managed Postgres & authentication (Supabase)
  • Edge hosting & CDN (Cloudflare)
  • Transactional email delivery (Mailgun via managed platform)
  • AI inference for scoring assistance (Lovable AI Gateway)

Incident response

Security-relevant events are reviewed daily. Customers are notified in accordance with contractual SLAs when an incident materially affects their data. Report a suspected vulnerability or incident to brian@readinessiq.ai.

Vulnerability disclosure

We welcome coordinated disclosure from security researchers. Please email brian@readinessiq.ai with reproduction details. We commit to acknowledging within two business days and providing a remediation timeline.

Procurement, vendor risk, or DPA request?

We provide a security questionnaire response, subprocessor list, and Data Processing Addendum to enterprise prospects under NDA.

Request security package