Acretix

Trust

Security & data handling

Acretix helps you draft and run outcome-based contracts. Here is how we protect the deals, documents, and evidence you put in — in plain terms, and true to how the product actually works.

Accounts & authentication

  • Accounts are handled by Supabase Auth. Sign in with a password or a one-time magic link sent to your email.
  • Your session is managed by Supabase Auth via cookies and re-validated on the server on every request.

Your data is isolated

  • Every deal, measurement, and file is tied to its owner. Postgres row-level security (RLS) enforces — in the database itself, not just in our app code — that you can only read and write your own records.
  • The only other access is through explicit, database-enforced policies — our review staff handling a submission, or a counterparty you invite to a deal. Nothing is shared by default.

Documents & evidence

  • Evidence files live in a private storage bucket that is never publicly listable.
  • They are served only through signed links that expire after one hour, generated fresh each time you open a file — and access to the bucket follows the same per-deal rules as the rest of your data.
  • Each upload is fingerprinted with a SHA-256 hash, and the evidence set is frozen once a settlement cycle is verified, so the proof behind an agreed number is tamper-evident.

E-signatures

  • When a contract is ready to sign, it is routed through eSignatures.com, a dedicated e-signature provider that collects each party's signature.
  • We verify the cryptographic signature (HMAC-SHA256) on every completion callback before trusting it, so a forged notification cannot mark a contract as signed.

We never touch your money

  • Acretix drafts and operates outcome-based contracts. It never collects card or bank details and never moves money.
  • A deal's payment is the agreed formula and terms; settlement happens directly between the parties, off-platform. There are no stored card numbers to leak, because we never ask for them.

AI assistance is opt-in

  • AI features are off by default. You switch them on per account under Settings → AI.
  • When enabled, your draft text is sent to Anthropic's Claude API to generate suggestions, and a per-account usage budget caps how much is processed. With AI off, the wizard, templates, and document export work exactly the same.

Secrets stay on the server

  • The browser only ever receives our public Supabase key, which is safe by design and constrained by row-level security.
  • Service-role keys and every third-party API key are server-only and are never shipped to the client.

Infrastructure

  • The app runs on Vercel; the database, authentication, and file storage run on Supabase (managed PostgreSQL).
  • Traffic is encrypted in transit with HTTPS/TLS, and data is encrypted at rest by those providers.

Report a security issue

Found something? Email hello@tryacretix.com. We will work with you on a fix and ask that you hold off on public disclosure until it is resolved.

Last updated June 2026.