FIPVCC Data Security: How FairVC Protects Sensitive Demographic Information

AES-256-GCM Encryption at Rest

Every demographic survey response stored in FairVC is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). This is the same encryption standard used by financial institutions, government agencies, and military applications.

• 256-bit key length — Considered computationally infeasible to break with current or foreseeable technology.
• GCM mode — Provides both encryption and authentication, ensuring data integrity and tamper detection.
• Per-response encryption — Each survey response is encrypted individually, limiting the blast radius of any single key compromise.
• Key rotation — Encryption keys are rotated periodically, and FairVC supports key versioning for seamless rotation without data re-encryption downtime.

Data Anonymization and Aggregation

FairVC never exposes individual demographic responses in reports or analytics. All data presented to firm users and included in DFPI reports is aggregated and anonymized:

• Aggregate-only reporting — The DFPI Venture Capital Demographic Data Report contains only aggregate counts and percentages. No individual-level data is ever included.
• Anonymized analytics — The FairVC analytics dashboard shows portfolio-level diversity metrics, not individual founder responses.
• Threshold protections — Diversity calculations require sufficient response rates before diversity determinations are made, preventing inference from small sample sizes.

Access Controls and Authentication

FairVC implements strict access controls to ensure only authorized personnel can access compliance data:

• Multi-tenant architecture — Each firm's data is completely isolated. Users can only access data belonging to their own firm.
• Role-based access — Admin and member roles control who can manage portfolio companies, send surveys, and generate reports.
• Secure authentication — Passwords are hashed using bcrypt with 12 rounds. Sessions are managed via secure, HTTP-only tokens.
• Automatic session timeout — Sessions are automatically terminated after 30 minutes of inactivity, reducing the risk of unauthorized access from unattended devices.

Secure Data Retention

FIPVCC requires firms to maintain records related to compliance. FairVC provides:

• 5-year encrypted retention — Demographic data and reports are securely retained for 5 years on the Annual plan, meeting record-keeping obligations.
• Encrypted backups — Database backups maintain the same encryption protections as live data.
• Data lifecycle management — When retention periods expire, data can be securely deleted in compliance with privacy regulations.

Audit Trail and Activity Logging

FairVC maintains a comprehensive audit trail for compliance accountability:

• Activity logs — Every compliance-relevant action is logged: survey sends, responses received, reports generated, data exports, and account changes.
• Email event tracking — Survey invitation delivery is tracked through SendGrid webhooks, providing proof that surveys were distributed as required by FIPVCC.
• Timestamped records — All actions are recorded with precise timestamps for regulatory accountability.

Privacy Law Compliance

Beyond FIPVCC requirements, FairVC is designed to comply with applicable privacy laws governing sensitive demographic data:

• California Consumer Privacy Act (CCPA) — FairVC supports data access, deletion, correction, and opt-out requests.
• GDPR — For any EU-based founders, FairVC supports data subject rights including access, erasure, and portability.
• Voluntary participation — The survey process clearly communicates that participation is voluntary and provides a decline option, respecting founder autonomy.

Read our full privacy policy for detailed information on data handling practices.