My investor asked if my app is secure. What do I say?
Don't wing it. Send a written answer with: (1) what data you hold and where, (2) three specific controls (RLS, auth, rate limits), (3) one line about a pre-launch scan and when it ran, (4) a link to your security.txt. Investors aren't looking for perfect — they want you to have thought about it and show your work.
Investors at seed ask this for two reasons: diligence before term sheet, and signaling-risk after term sheet ('if you get breached before Series A, our markup evaporates'). Either way, a prepared answer is worth five minutes of thought.
The four-paragraph email that usually closes it:
Paragraph 1: What data you hold, where. Example: 'We hold email, name, payment method on Stripe, and user-generated content on Supabase. No SSN, no health data, no EU-specific sensitive categories. Data lives in us-east-1 Supabase and Stripe US.'
Paragraph 2: Three specific controls. Example: 'Authentication is via Supabase Auth with email+password. All tables have Row-Level-Security enforcing tenant isolation. Rate limits on auth endpoints. No service-role keys in client code.'
Paragraph 3: The scan + when it ran. Example: 'We ran a third-party security scan (Securie) on [date]. Found 2 items, both fixed within 48 hours. Scan report available on request under NDA.'
Paragraph 4: Future posture. Example: 'On SOC 2 Type 1 track, targeting [quarter]. Will sign a DPA with enterprise customers. /.well-known/security.txt published for coordinated disclosure.'
This beats 'we take security seriously' and also beats 'we're pre-launch and haven't looked into it' — both of which signal risk.
Securie's free scan (launching this year) will give you the thing to cite in paragraph 3. Join the early-access list now; your scan runs in week 1 and becomes the answer to every future investor asking the same question.