Built for firm data, client work, and controlled access.
Ventura is designed around firm-scoped data, authenticated users, connection controls, and read-only observability. We name what ships today, what is in build, and what comes later.
Firm-scoped data
Every record is keyed to a firm. Row-level isolation is enforced at the database, not just at the application layer.
Authenticated users
Email-based authentication today. SSO (Google Workspace, Microsoft 365) and SCIM provisioning are on the roadmap.
Role-based access
Partner, operator, and read-only roles are planned for the next release. Today the model is single-firm with shared access.
Connection management
Mailbox and calendar connections are user-controlled, scoped to read-only by default, and disconnectable from inside the app.
System health visibility
Cron health, polling state, and admin observability are surfaced inside the app, not hidden behind a vendor dashboard.
No public client portal yet
Client-facing access ships only when the foundations are ready. Not before. Today, Ventura is a firm-side tool.
Where we are today.
Ventura is early access. We are not currently SOC 2 attested. We do not hold ISO 27001, HIPAA, or any other compliance certification. We're saying that out loud because aspirational logos in a security section are how trust gets broken.
What we do have today: firm-scoped data isolation enforced at the Postgres row level, authenticated user sessions with short-lived tokens, OAuth scopes limited to read-only on connected mailboxes and calendars, encrypted OAuth tokens at rest, audit logging on every meaningful state change, and a Canadian data region.
What we're working toward: a published privacy policy and terms, formal SOC 2 readiness once we're past early access, role-based access (partner, operator, read-only), and SSO via Google Workspace and Microsoft 365.
If a firm needs a security review before connecting an account, we'd rather have that conversation directly than point at a badge. Reach us at hello@useventura.com.
The stack, plainly.
Not because the stack is the point, but because firms doing a security review want it on a page.
- Database
- Supabase Postgres with Row Level Security on every table
- Auth
- Supabase Auth, email-based, with session caching
- Hosting
- Vercel serverless functions, Node 22 runtime
- Region
- Canadian region (ca-central-1) for the data layer
- Resend for transactional and digest mail
- AI
- Claude Haiku for scoring and extraction, no PII training data sharing