How to answer 'is your app secure?' (without lying)

A prospect emailed you yesterday. Three sentences:

> Hey — really excited about your product. One thing my team needs before we sign: can you tell us how you handle security? Just looking for an overview of your practices.

You stared at it for an hour. You drafted three different replies. Each one felt like a lie. You sent the safe one ("we take security very seriously, happy to jump on a call"). They haven't replied.

Here is what you should have sent.

What the prospect is actually asking

The prospect is not running a security audit on you. They are running a procurement check. Their procurement person has a checklist. The checklist asks "did the vendor give us anything more substantive than 'we take security seriously'?" — and that's the bar. Two paragraphs of specifics beats a 50-page compliance document for this stage.

What they actually want to see:

1. You've thought about security at all. Many vendors haven't. Specifics prove you have. 2. You handle the basics. Encryption in transit, encryption at rest, access controls. 3. You have a way to prove what you say. Either a third-party attestation (SOC 2, ISO) or a clear technical statement they can verify. 4. You won't sell their data, lose their data, or get hacked into the news. Specifics — not promises — are the signal.

You probably handle 80% of these by default if you ship on Vercel + Supabase + Stripe. The hard part is articulating what you handle, what you don't, and what your roadmap is.

The three-paragraph reply that closes deals

Here's the template. Customize the specifics; don't soften the structure.

> Hi [name], > > Great question — happy to give you the substance. Three things, plus links to anything you want to dig into: > > (1) The technical posture. [Your app] runs on [Vercel / AWS / etc.] with TLS everywhere, AES-256 encryption at rest in [Supabase / your DB] managed by [provider], and per-user authorization enforced at the database layer via Row-Level Security. Secrets live in [Vercel env vars / AWS Secrets Manager], never in source code, and are rotated [quarterly / on-demand]. We use [Securie / your scanner] on every PR — every code change is scanned for the OWASP Top 10 in a sandboxed copy of our app, and every finding is reproduced as a working exploit before we see it. If we ship a fix, the scanner regression-tests it against the original exploit. We can show you the audit trail. > > (2) The compliance posture. We're in the early stages of formal SOC 2 — Type 1 audit scheduled for [date], Type 2 evidence collection started [date]. We're [not] HIPAA-certified; our data handling is HIPAA-equivalent for [these specific controls], and we'd be willing to sign a BAA for an enterprise-tier customer. GDPR / CCPA compliant by data design (data minimization, deletion-on-request, no third-party processors except [list them]). We can share our DPA and our privacy policy. > > (3) The honest gap. [What you don't have yet]. We're working on it; the timeline is [date]. If this is a hard requirement for your team, let me know — we can either bring it forward or set up a workaround. > > Want to set up a 30-minute call to walk through any of this in detail? I can also send our security questionnaire pre-filled if your team has a standard one. > > [your name]

This works for three reasons:

• It's specific. The prospect's procurement team can grade specificity vs vagueness; specifics score.
• It's honest. The "honest gap" paragraph builds trust — every vendor has gaps, and the ones who admit them are the ones who actually have the rest under control.
• It moves to the next step. The "30-minute call" + "questionnaire pre-filled" close means the prospect doesn't have to write the next email; you've already given them two ways to advance.

What to do if you're missing pieces

If you can't fill in some of the specifics above, that's fine — you don't have to lie, you just have to do the work. Here's the priority order.

### Priority 1: Get the basics right (1-2 days)

These are non-negotiable; if you don't have them, fix them today:

• TLS everywhere. Your custom domain → Vercel/CloudFlare → backend → database. No HTTP anywhere.
• Encryption at rest. Supabase, Stripe, AWS RDS — all encrypt at rest by default. Verify it's on. (For Supabase: it is, always.)
• Secrets in env vars, not source. Run git log -p -S 'sk-' on your repo. Every match is a leak. Rotate.
• RLS on every Supabase table. No exceptions. Even your "internal" tables.
• Authorization on every API route. Every params.id in your routes must be checked against the authenticated user's ownership. (See the 3 AM Lovable panic post for the canonical pattern.)

### Priority 2: Get a security tool that produces evidence (1 hour)

Install Securie. On every PR it produces a signed attestation bundle — DSSE-signed, in-toto v1, optionally Sigstore-rekor-published. The attestation says "this commit's code passed [N] security specialists, [N] sandbox-replayed exploits failed, [N] auto-fix PRs landed."

That bundle is your evidence. When the prospect asks "how do we know your scanner caught what you say it caught," you give them a verifiable artifact, not a vendor logo. Auditor-replicable evidence is the gold standard for compliance evidence; signed attestations are that standard.

The Solo Founder tier ($49/mo, 10 repos) includes a Production-Readiness Certificate — a 50-control checklist evaluated against your codebase + infrastructure, rendered as a public verifiable URL you can paste into security questionnaires. The certificate is valid for 30 days and re-evaluates on every push. It maps to the 50 controls procurement teams actually ask about (the AICPA SOC 2 Trust Services Criteria, baseline subset).

### Priority 3: Start the SOC 2 path (week 4)

If you're getting more than one of these emails per quarter, start SOC 2 Type 1. Six weeks, $5K, solo-founder doable. Full playbook: How to pass your first SOC 2 as a vibe coder.

### Priority 4: Build the security questionnaire library

Every prospect's security team has a questionnaire. Most of the questions are repeats. Build your answer library once and reuse. SafeBase, Vanta Trust, and Drata all sell trust-page tools that automate this — but at $0–49/mo scale, a Notion page with a public link works too.

What not to do

Don't claim certifications you don't have. "SOC 2 ready" is fine. "SOC 2 certified" without an active audit is fraud, and procurement teams check.

Don't dodge the question. "Happy to discuss on a call" without specifics in the email reads as "we don't have anything substantive." It loses deals at exactly the stage you can't afford to lose them.

Don't oversimplify. "We use Vercel and Supabase, both are secure" is technically true and operationally meaningless. The prospect knows Vercel and Supabase are secure; they want to know about you.

Don't promise things you can't ship. If you say "we have RLS on every table," the next prospect's auditor will ask to verify it. Prove it before you say it.

The deal-acceleration angle

The prospects who ask this question are the prospects who are serious about buying. The ones who don't ask have either (a) already decided they trust you, or (b) won't sign anyway. The "is your app secure?" email is the closing-conversation email — answer it well and you close.

Treat it as the signal it is.

Related

• How to pass your first SOC 2 as a vibe coder
• Production-readiness checklist for AI-built apps
• Securie for solo founders
• GDPR for indie SaaS
• EU AI Act for AI-built apps