LEGAL
Security
Last updated: 18 July 2026
Last updated: 18 July 2026
Your cap table is some of the most sensitive data your company has. This page describes, plainly, how Vquity protects it today: what we do, and what we do not claim.
Encryption
- In transit: all traffic between your browser or desktop app and our servers uses TLS.
- At rest: data and uploaded documents are encrypted at rest by our cloud infrastructure provider.
Passwordless portal authentication
Investor and employee portals use passwordless one-time codes instead of passwords, so there are no portal passwords to leak or reuse:
- codes are stored hashed, never in plain text;
- codes expire after 10 minutes;
- requests are rate-limited to slow down guessing;
- portal sessions are stored hashed as well.
The desktop app keeps an offline cache for portals so stakeholders can view their holdings without a connection, but signing back in always requires a fresh code.
Role-based access control
Access inside a workspace is gated by role. Admins control who sees what; portal users see only their own holdings, activity, and documents, not the full cap table. Investors do not get self-serve access to the whole table; anything beyond their own position is shared deliberately by an admin. See stakeholder portals for how the scoping works in practice.
Audit trail and reversibility
Changes to equity records are written to an audit trail, and supported destructive operations sit on a reversibility chain so mistakes can be traced and unwound rather than silently lost. AI-extracted document fields keep an override history so reviewers can compare an extracted value with a human correction. Snapshots add point-in-time cap-table records and field-level diffs for supported fields. More on this in compliance features and snapshots.
AI processing boundaries
AI document extraction runs only on documents you explicitly submit for extraction. Nothing is scanned in the background. Every extracted field is shown for review before it touches your records, and edits to extracted values are logged. We do not train general-purpose AI models on your documents or cap-table data.
Desktop app
The Windows app provides a dedicated Vquity window and connects to the same service and workspace data as the web app. Download availability and current installation guidance are on the download page.
Data export freedom
Security includes not being trapped. You can export company details, share classes, shareholders, rounds, grants, and warrants in XLSX or JSON, export shareholders in CSV, restore the structured JSON backup, and download the Data Room as a zip, without asking us. We describe that coverage precisely so you know what your independent backup contains.
What we don't claim
We do not currently hold third-party security certifications, and we won't imply otherwise. If your diligence process requires a specific attestation or a security questionnaire, email us and we will answer honestly about where we are and what is on the roadmap.
Responsible disclosure
If you find a vulnerability in Vquity, please report it to support@lisan.com before disclosing it publicly. Include steps to reproduce and, if you can, the affected component. We will acknowledge your report, keep you informed while we fix the issue, and credit you if you want credit. Please do not access data that isn't yours while testing.
Related
How we handle personal data is covered in the Privacy Policy; the rules of use are in the Terms of Service.