Security & Trust
VINCIT QSV is built for governance, investor-relations and legal teams at listed companies — buyers who, rightly, hold data handling to a high standard. Here's how your data is stored, who can access it, and why the analysis is defensible.
The governance profiles you save, your team's tasks, and your organisation and user records are stored in a managed PostgreSQL database (Supabase) in a secured cloud environment, with encryption in transit (TLS) and at rest.
While you are actively working on an analysis, your working inputs — such as the share register, director details and notes you enter — are held locally in your own browser, on your device, until you choose to save a profile.
The shared policy database — investors' published voting positions — is reference data drawn from public documents and is common to the platform; it contains no client-specific information.
Access is gated by enterprise authentication (Clerk). Every request for an organisation's data is authorised against your verified membership of that organisation — not merely the address you visit — so one organisation's users cannot access another organisation's data. Roles control who can administer an organisation versus who can view and work within it.
Team task assignment and notifications are restricted to verified members of your organisation — work cannot be assigned to arbitrary external email addresses.
Your company data is used only to generate the analysis you request — risk briefings, investor prep, scenario modelling, board packs. VINCIT QSV does not train machine-learning models on your data, and your data is not shared with other clients or third parties for that or any marketing purpose.
Confidential inputs — your register, engagement notes, governance profiles and briefings — are processed only by Anthropic's Claude API, which under its commercial terms does not train its models on the content sent to it.
For convenience, you can also upload public filings (annual reports and AGM voting results) for automatic extraction; these may additionally be processed by a third-party extraction model purely to structure the document into fields. Because those documents are already public, no confidential client information is exposed to it.
The platform's investor and proxy-advisor positions are extracted verbatim from published voting policies and guidelines — not paraphrased, not inferred by a model. Every flagged position can be traced to the literal source text and the specific threshold the investor applies.
Outcome forecasts are framed as a register-weighted reading of those published policies against your profile. They describe where the thresholds land — not an assertion of any investor's voting intent. This keeps the analysis auditable, defensible, and free from speculation.
You control your company data. Saved profiles, tasks and account records are retained for as long as your organisation maintains an active engagement, and can be exported or deleted on request. On termination, your saved company data is removed from active systems within a reasonable period.
Working data held in your browser remains on your own device and can be cleared from your browser at any time.
We're happy to answer security, data-handling or due-diligence questions in detail, including for procurement and legal review.
Get in touch via the contact page and we'll respond promptly.
Running procurement or a security review?
Talk to usThis page describes our current practices and is provided for information; it does not form part of any contract. Specific contractual data-handling terms are set out in your engagement agreement.