Security

How we protect your data. Plain English.

Payments

All payments are processed by Stripe. We never see, store, or have access to your card number. Stripe is PCI DSS Level 1 certified.

Data in transit

HTTPS everywhere. TLS 1.2+ on all connections. No exceptions.

Security & Identity

We do not store passwords. Surmado uses Clerk for all identity management, authentication, and session control.

• Zero-Knowledge: We never touch or store your credentials.
• Compliance: Our identity infrastructure is SOC 2 Type II and ISO 27001 compliant.
• Protection: Active specialized defense against credential stuffing, session fixation, and brute-force attacks.

Infrastructure

We run on Netlify (frontend) and secure cloud infrastructure for report generation. Your reports are generated on-demand and delivered via encrypted channels.

What we don't do

• We don't sell your data
• We don't store payment card information
• We don't share your business information with competitors

AI providers

To generate reports, we send data to third-party AI APIs (OpenAI, Anthropic, Google, etc.). We use API access, not consumer chat products. See our subprocessor list for the full list of providers. For details on how your data may be used, see our Terms of Service.

DeepSeek is accessed via Together AI (US Infrastructure). DeepSeek is largely open source, releasing powerful AI models with accessible code and weights, often under permissive licenses like MIT, enabling free use, modification, and deployment for research and commercial projects. We do not use DeepSeek API or any China-domiciled servers. Our servers are located in the United States of America.

Questions?

Email hi@surmado.com with security questions. For formal security inquiries, contact legal@surmado.com.