Trust Center

Security & Governance

RolePrint™ is built for HR, IT, and Compliance reviewers who expect clear boundaries, limited access, and outputs you can stand behind from day one.

Download Security Review PacketBack to Home

Contact contact@roleprint.com. This page is a high-level overview and does not constitute a contractual security commitment.

Security and governance

Security your reviewers can sign off on

RolePrint™ Tools and Systems provide clear boundaries, scoped access, and traceable actions—built for HR, IT, and Compliance buyers who expect governance from day one.

SOC 2 Type II certification roadmap available

Post-exit only (not employee monitoring)

RolePrint™ Tools are designed for handoff and governance after a confirmed departure or formal transition event. They are not positioned as employee monitoring tools.

Read-only by design

RolePrint™ only reads your Microsoft 365 data to run analysis. It never writes, edits, or changes anything in your tenant.

Scoped access + least privilege

Access is intended to be configured with least-privilege principles. Outputs can be segmented by stakeholder audience (HR, managers, Legal/Compliance) to reduce overexposure.

Retention-aligned lifecycle

Handoff materials are kept only as long as you need them, so transition data doesn’t pile up. Align with your retention policies.

Clear record of who did what

You can see who viewed or downloaded what, when reports were generated, and how they tie back to the source data.

No impersonation / no masquerading

RolePrint™ never pretends to be the user. It only reads data to run analysis—no impersonation, no acting on behalf of employees.

What we access

The following describes what RolePrint™ will access once M365 integration is live. Current demos use mock data.

From Microsoft 365

  • Email metadata (sender, recipient, subject, date) — We do not read email content.
  • Meeting metadata (title, attendees, timing) — We do not access meeting recordings or chat.
  • File metadata (name, location, modified date) — We do not read file contents.
  • SharePoint site access patterns — We do not monitor real-time activity.

Post-activity only

  • Analysis runs after a departure or during a planned transition — never on active, unsanctioned employees.
  • Admin-controlled—prevents surveillance of current employees.
  • Read-only access—we never modify or delete your data.

Current state & maturity

We are transparent about where we are today. RolePrint™ is demo-ready and pre-revenue. Microsoft 365 integration is planned; demos may use mock or sample data. We do not claim certifications we have not yet achieved.

  • Stage: Pre-revenue, demo-ready
  • SOC 2: Not certified; SOC 2 planning begins after first customers (see roadmap below)
  • Team: No dedicated 24/7 security operations today
  • We will provide current status and evidence in the Security Review Packet.

Hosting & infrastructure

  • Frontend: Vercel (Next.js)
  • Backend / DB / Auth: Supabase (PostgreSQL, Supabase Auth, Row Level Security)
  • File storage (planned for deliverables): Supabase Storage
  • Regions: US-based default regions for Vercel and Supabase; region selection can be customer-driven as needed
  • CDN: Vercel Edge Network

Data classification

How we treat data in scope for RolePrint™:

  • Customer Microsoft 365 metadata (planned): Confidential
  • Analysis outputs / reports: Confidential
  • Generated deliverables: Confidential, customer-owned
  • Platform telemetry/metadata: Internal
  • PII in scope: Business context only (e.g. names, emails, job titles, departments); no consumer PII

Security controls

In place today:

  • Encryption in transit: TLS (Vercel/Supabase defaults)
  • Encryption at rest: Provider-managed (Supabase)
  • Tenant isolation: Supabase Row Level Security policies keyed by tenant
  • Secrets: Environment variables in Vercel/Supabase
  • Sessions: Supabase Auth sessions, tokens, and refresh flows
  • Security contact: contact@roleprint.com

Not yet in place (explicit):

  • No SOC 2 attestation today
  • No 24/7 staffed monitoring
  • No formal penetration test yet
  • No formalized incident response runbook (see roadmap)

Incident response

  • Reporting: contact@roleprint.com (monitored by the team)
  • Response targets: Critical issues within 24 hours; high-priority within 72 hours
  • Customer notification: We will notify affected customers within 72 hours of a confirmed breach (or share an initial assessment earlier when appropriate)

Subprocessors

We use the following subprocessors to operate the service:

  • Vercel: Application hosting and edge network
  • Supabase: Database, auth, and storage infrastructure

No other subprocessors are currently in scope. Enterprise or pilot agreements may list subprocessors and data protection terms.

Compliance roadmap

We do not claim controls we do not have. Our roadmap is milestone-based and tied to customer traction:

  • Phase 1 (now): Baseline posture for early pilots—tenant isolation, TLS, encryption at rest, security contact
  • Phase 2 (first customers): Formal policies, application audit logging, backup/restore and retention documentation
  • Phase 3 (~5+ customers): SOC 2 Type I readiness, evidence collection, security training, vulnerability scanning, incident response runbook
  • Phase 4 (~10+ customers): SOC 2 Type II, penetration testing, enhanced monitoring

Full details are in the Security Review Packet and internal roadmap documents.

For procurement & security teams

  • What you can request: Architecture overview, data flow diagram, access model, audit logging approach, and review checklists. Download the Security Review Packet.
  • What we won't claim: Certifications you haven't validated. We provide current status and evidence in the packet.

Contact

Security or governance questions? Email contact@roleprint.com. For privacy, see our Privacy Policy.

Last updated: January 31, 2026. This page is a high-level overview and does not constitute a contractual security commitment.