Pelagos

Security

Last updated March 2026

Your compliance documents, including SMS manuals, procedures, audit records, and inspection evidence, are among the most sensitive assets your company manages. Protecting them is foundational to everything we build at Pelagos.

For security-related questions, contact us at security@getpelagos.com.

Pelagos is built by NiekaLab. We are transparent about where we stand today. This page describes what we have in place, what we are actively working on, and how we approach the security of your compliance data. We hope this helps you make an informed decision.

Our Commitment

We built Pelagos to handle compliance documents that maritime companies trust us with, including operational procedures, safety management systems, inspection evidence, and audit records. We treat every document uploaded to Pelagos as confidential by default.

Our commitments are straightforward:

  • Your documents are never shared with other customers.
  • Your documents are never used to train AI models.
  • Your data belongs to you. You can request full deletion at any time.
  • We are transparent about every service that touches your data.

Infrastructure Security

Pelagos is built on the following infrastructure and services, organized by their role in the system:

AWS (ap-northeast-1, Tokyo)

Our primary infrastructure. The backend API, frontend application, and document file storage (Amazon S3) are all hosted on AWS in the Tokyo region.

Supabase Cloud

Handles user authentication and our primary database. Supabase is built on PostgreSQL and hosted on AWS infrastructure. Supabase enforces encryption at rest and in transit for all hosted projects. You can review their security practices at supabase.com/security.

Cloudflare

Sits in front of our application as a reverse proxy and CDN. Cloudflare provides DDoS protection, SSL termination, and performance optimization. Cloudflare may see request data in transit but does not store application data.

Anthropic

We use Anthropic's API to power compliance analysis features. Anthropic's API data usage policy states that they do not train models on data submitted through the API. You can review their policy at trust.anthropic.com.

OpenAI

We use OpenAI's API to power compliance analysis features. OpenAI's API data usage policy states that they do not train models on data submitted through the API. You can review their policy at openai.com/business-data.

Stripe

Handles all payment processing, billing, and subscription management. Stripe processes payment information (such as credit card details) directly. Pelagos does not store credit card numbers or payment credentials on our servers. This is handled entirely by Stripe. Stripe is PCI DSS Level 1 certified. You can review their security practices at stripe.com/docs/security.

We do not operate infrastructure in China. To our knowledge, none of our subprocessors do either.

AI Processing and Data Privacy

Pelagos uses AI to analyze your compliance documents against frameworks such as TMSA, DryBMS, and SIRE. Here is how your data flows through the system:

  1. 1.You upload documents to Pelagos. Files are stored in Amazon S3 in the Tokyo region.
  2. 2.When you run a compliance analysis, relevant document content is sent from our backend to Anthropic or OpenAI's API for processing.
  3. 3.The AI model analyzes your documents against the selected framework and returns compliance findings.
  4. 4.Results, including KPI scores, evidence mapping, and gap analysis, are stored in our database (Supabase).

What this means for your data

  • Document content is sent to AI providers only when you initiate an analysis. It is not sent continuously or in the background.
  • Both Anthropic and OpenAI state in their API policies that data submitted via their APIs is not used to train their models. We link to their official policies in the Infrastructure Security section above.
  • AI providers may temporarily process your data in memory to generate responses, but do not persist it beyond the request lifecycle.
  • We do not currently have formal zero data retention agreements with our AI providers. As we grow, securing these agreements is on our roadmap.

Document Storage and Encryption

In transit

All data transmitted between your browser, our servers, and third-party services is encrypted using TLS (Transport Layer Security). This includes document uploads, API requests, and AI processing calls.

At rest

Documents stored in Amazon S3 are protected by AWS's server-side encryption. Our database on Supabase Cloud includes encryption at rest as part of their managed infrastructure.

Document isolation

Each customer's documents are logically separated in our storage and database layer. One company's documents are never accessible to another company's users.

We are evaluating additional encryption measures, including customer-managed encryption keys, as part of our security roadmap.

Access Control

Pelagos supports role-based access control (RBAC). Organization administrators can define who on their team can view, edit, or manage compliance documents, analysis results, and submission packages.

Current capabilities

  • Role-based permissions within an organization
  • User authentication managed through Supabase Auth with secure session handling
  • Organization-level data isolation

On our roadmap

  • Single Sign-On (SSO) integration for enterprise customers
  • Audit logging for user actions within the platform
  • Granular permissions at the vessel or framework level

Data Retention and Deletion

You retain full ownership of all data uploaded to or generated within Pelagos, including documents, analysis results, disputes, stage claims, and submission packages.

Deletion

You can request full deletion of your organization's data at any time by contacting us at security@getpelagos.com. Upon receiving a deletion request, we will remove all associated data from our database, document storage, and any backups within 30 days.

What happens to AI-processed data

Since our AI providers (Anthropic and OpenAI) do not retain API data per their stated policies, there is no additional data to delete on their end after a request is processed.

Certifications Roadmap

Pelagos does not currently hold SOC 2 or ISO 27001 certifications. Both are on our roadmap as we scale.

Planned

  • SOC 2 Type II certification
  • ISO 27001 certification

We will update this page as we make progress toward these certifications. In the meantime, we are committed to following security best practices and being transparent about our current posture.

Vulnerability Reporting

If you believe you have found a security vulnerability in Pelagos, please report it to us at security@getpelagos.com.

We commit to acknowledging vulnerability reports within 5 business days and addressing them as promptly as possible. If a vulnerability affects customer data, we will notify impacted customers directly.