Security & trust at Rainmaker

Rainmaker runs on Lovable Cloud, which provides the underlying hosting, managed Postgres, and authentication primitives. CyberGen AI owns the application code, data model, access policies, and customer-facing processes built on top. Customers are responsible for protecting their own credentials, managing who they invite into their tenant, and the accuracy of data they upload.

The application is a TanStack Start app served from Lovable Cloud's edge runtime. Application data is stored in managed Postgres with Row-Level Security enabled on every customer-facing table. Tenant and company isolation is enforced in the database withauth_tenant_ids()andauth_company_ids()helpers, so a request can only read rows the signed-in user is a member of — even if application code has a bug.

Server-side logic runs as typed RPC server functions, not as a public API surface. Secrets and API keys are read on the server only and never shipped to the browser bundle.

Authentication is handled by Supabase Auth: email + password and magic link. Sessions are scoped per tenant, and role membership is stored in dedicated tenant_membersand company_memberstables — never on profile records. Role checks are evaluated server-side through SECURITY DEFINER helpers, so the browser cannot escalate privileges by editing local state.

Marketplace listings are anonymized by default. Buyer and seller identities, company names, and contact details remain masked until both parties have signed a mutual NDA inside the platform. Deal-room messages, documents, and milestone updates are scoped to the room and are only readable by members of that room.

AI-generated briefings, valuation commentary, and copilot answers are produced through the Lovable AI Gateway. Prompts include only the customer data needed to answer the question, and outputs are written back into the same tenant-scoped tables — they do not leave the customer's workspace. We do not train third-party foundation models on customer data.

• Lovable Cloud — hosting, managed Postgres, authentication, and edge runtime.
• Lovable AI Gateway — proxied access to large-language-model providers for in-app AI features.

We will update this list before adding new subprocessors that process customer data.

Rainmaker uses session cookies for authentication only. We do not run third-party advertising trackers or sell customer data. Product analytics, when enabled, are limited to aggregate usage events that do not include deal content or counterparty identifiers.

Customers can request export or deletion of their tenant data by emailing the address below. Tenant administrators can also remove members and companies from inside the app, which immediately revokes access through Row-Level Security.

Report suspected vulnerabilities, account abuse, or privacy concerns to security@cybergen.ai. Please include steps to reproduce and avoid accessing data that does not belong to you while testing.

Rainmaker is not currently advertising SOC 2, ISO 27001, HIPAA, PCI, or GDPR certification. The controls described on this page reflect how the product is built today and are not a substitute for an independent audit. If your diligence process requires specific attestations, contact us and we will tell you honestly where we stand.