Security Practices

Last updated: March 9, 2026

Turnstone is built to handle sensitive financial documents — CIMs, teasers, and proprietary deal data. Security is foundational to the platform, not an afterthought. This page describes the measures we take to protect your data at every layer.

Data Encryption

All data transmitted between your browser and Turnstone servers is encrypted via HTTPS/TLS. We enforce HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks.

Data at rest is encrypted using AES-256 encryption provided by our infrastructure on AWS (via Supabase). Database backups, file storage, and all persistent data benefit from AWS's encryption-at-rest guarantees.

Tenant Isolation

Every database table in Turnstone uses PostgreSQL Row-Level Security (RLS) policies. This is database-level enforcement — not application-level filtering. Each authenticated request sets a session-scoped user context, and PostgreSQL itself ensures that queries can only access rows belonging to that user.

• RLS policies are applied to all tables containing user data
• Tenant isolation is enforced at the database layer, independent of application code
• There is no shared data surface between users — your deals, documents, and analysis are completely isolated

Authentication

Turnstone uses Auth0 for identity management, an industry-standard authentication platform trusted by thousands of enterprises. All API requests are verified using RS256-signed JSON Web Tokens (JWTs) issued by Auth0.

• OpenID Connect (OIDC) compliant authentication flow
• RS256 asymmetric JWT verification on every API request
• Support for Google single sign-on via custom OAuth credentials
• Silent token refresh to maintain sessions without exposing credentials

File Security

Uploaded documents go through multiple validation layers before processing:

• Magic byte validation — PDF files are verified at the binary level to confirm they are genuine PDFs, not disguised executables
• Extension-MIME matching — file extensions are cross-checked against actual MIME types to prevent spoofing
• Filename sanitization — filenames are stripped of path traversal characters and unsafe sequences
• Zip bomb protection — XLSX files are checked for decompression bombs with a 10MB buffer cap before processing
• Upload limits — maximum 25MB per request, 10 files per screening, 50MB total per screening session

AI Processing

Turnstone uses the Anthropic Claude API to analyze your documents. Your data is handled with strict privacy guarantees:

• No model training — Anthropic does not use data submitted through their API to train or improve their AI models
• No human review — your documents are not read by humans at Anthropic or Turnstone
• Process and discard — documents are transmitted to the API for analysis, results are returned, and the AI provider does not retain your data
• No API keys in the browser — all AI processing happens server-side; your browser never communicates directly with the AI provider

Network Security

The Turnstone API is protected by multiple layers of network-level security:

• CORS allowlist — cross-origin requests are restricted to specific, approved domains (not wildcard)
• Rate limiting — API endpoints enforce request rate limits to prevent abuse
• Helmet security headers — HSTS, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), and strict Referrer-Policy are set on all responses
• Content Security Policy — the frontend enforces CSP headers to prevent cross-site scripting (XSS) attacks

Monitoring & Error Handling

We use Sentry for error monitoring across both the backend API and the frontend application. Error reports are configured to strip authorization headers and other sensitive data before transmission, ensuring that tokens and credentials are never captured in error logs.

Error details are hidden from API responses in production. Only generic error messages are returned to clients — detailed stack traces and internal state are never exposed.

Compliance & Policies

For full details on how we handle your data, account terms, and your rights, please review our legal policies:

• Terms of Service — account terms, AI output disclaimers, acceptable use, and liability
• Privacy Policy — data collection, third-party services, retention, and your rights

If you have security questions or need to report a vulnerability, contact us at support@turnstone.app.