Good Stewards is built from the ground up with financial-grade security, strict privacy defaults, and transparent compliance practices — so you can focus on growing your legacy, not worrying about your data.
AES-256
Encryption at Rest
TLS 1.3
Encryption in Transit
99.9%
Uptime SLA
< 72 hrs
Breach Notification
Every layer of Good Stewards is designed with security in mind — from the database to the UI.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256, the same standard used by leading financial institutions.
Granular permissions ensure family members only access what they're authorised to see. Admins control every role.
Hosted on Supabase (powered by AWS), with automatic backups, geographic redundancy, and zero single points of failure.
Our systems are monitored 24 / 7 for anomalous activity. Automated alerts fire within seconds of any unusual pattern.
MFA is available for every account and strongly recommended for all admin users to prevent unauthorised access.
We maintain a clear vulnerability-disclosure programme. Security researchers can report issues to security@goodstewards.app.
We designed our data practices around the principle that families should never have to trade privacy for functionality. Transparency is a feature, not an afterthought.
We never sell your data
Your family's financial information is never sold, rented, or shared with advertisers.
Minimal data collection
We only collect data that's necessary to provide the service — nothing more.
You own your data
You can export or delete your data at any time directly from your Settings.
Transparent sub-processors
We publish a full list of third-party services that touch your data and why.
We're transparent about every category of data we handle.
| Data Category | Shared? |
|---|---|
| Account credentials | No |
| Portfolio / holdings | No |
| Transaction history | No |
| Vote & proposal records | No |
| Usage analytics | Anonymised only |
| Support tickets | Support tooling |
We pursue rigorous compliance frameworks and are transparent about our current status.
SOC 2 Type II
Audit underway — expected Q3 2025
GDPR Compliance
Data Processing Agreements available on request
CCPA Compliance
California consumer rights fully supported
PCI DSS
Payment processing handled by Stripe (PCI Level 1)
We rely on a small number of best-in-class providers. Each is contractually bound to our privacy standards.
Supabase
Database & authentication
US (AWS)
Stripe
Payment processing
US / EU
Anthropic (Claude)
AI assistant (Sage)
US
Vercel
Web hosting & CDN
Global edge
Dropbox Sign
Electronic signatures
US
Cloudinary
Image optimisation
Global CDN
Can't find your answer? Email us at security@goodstewards.app
Where is my data stored?
Your data is stored in Supabase-managed PostgreSQL databases hosted on AWS us-east-1 with automatic replication to a secondary region.
Who can see my family's portfolio data?
Only authenticated members of your family group — according to the roles your admin assigns. Good Stewards staff cannot access your portfolio data except where required to resolve a support ticket with your explicit consent.
How do you handle a data breach?
We follow a documented incident-response plan. Affected users are notified within 72 hours of discovery, in line with GDPR Article 33 obligations.
Can I delete my account and data?
Yes. You can request full account deletion from Settings → Account → Delete Account. All personal data is purged within 30 days.
Do you use AI, and does it train on my data?
Our AI assistant (Sage) is powered by the Claude API. Your data is not used to train Anthropic's models. Queries are processed in real-time and not retained beyond your session.
Our security team responds to all enquiries within one business day. For urgent vulnerability reports, please use our responsible disclosure address.