Security overview

Security at Extraordinary

Extraordinary protects customer information used across its public website, application portal, evaluation flow, case workflows, and support operations.

This page is a customer-facing summary of the security practices we share with customers and partners. It does not include sensitive internal architecture details, secrets, or private procedures.

Last updated

June 8, 2026

Contact

contact@extraordinary.com

Compliance

SOC 2 readiness managed in Vanta

Practices

We keep this overview high level and focused on customer-facing commitments.

Data protection

  • Extraordinary services are served over HTTPS/TLS.
  • Customer data is stored in managed cloud data platforms with provider encryption controls.
  • Application secrets and API keys are kept in managed environment and secret stores.
  • Selected sensitive authentication and user-secret material uses application-level encryption where implemented.

Access control

  • Access to production systems and customer data is limited to authorized team members and service accounts with a business need.
  • Extraordinary applications use Google OAuth, NextAuth, Clerk, and token-based service authentication depending on the product surface.
  • Admin paths use role checks and MFA requirements where implemented.
  • Case and evaluation data access is scoped by ownership, assignment, team membership, sharing, or approved administrative role.

Infrastructure

  • The public website, application surfaces, databases, and supporting services run on managed cloud providers.
  • Public application surfaces use managed deployment platforms with HTTPS and deployment isolation controls.
  • Operational changes and customer-impacting issues are coordinated through internal engineering and support channels.

Secure development

  • Source code is managed in GitHub and production changes are tracked through version control.
  • Active repositories use build, type-check, lint, formatting, and test workflows appropriate to the application.
  • Security-sensitive services include tests for authenticated access, token scope, sandbox boundaries, redirects, and unsafe request patterns.
  • Dependency scanning and vulnerability remediation are part of the security review process.

Service providers

  • Extraordinary uses third-party infrastructure, identity, payment, communications, analytics, document, and AI providers to deliver the service.
  • Vendors are reviewed according to their role, data sensitivity, and operational impact.
  • AI provider use that supports evaluation, research, drafting, or case workflows is described in the Privacy Policy.

Incident response

  • Security events are reviewed, contained, and remediated based on impact and urgency.
  • If an incident materially affects customer data or service availability, Extraordinary notifies affected customers through appropriate communication channels.
  • Security and privacy questions can be sent to contact@extraordinary.com.
Service providers

Selected subprocessors and service providers

Extraordinary uses these providers to support product delivery, infrastructure, and business operations. This is a high-level overview for customer security review.

Vercel

Hosting and deployment

Convex

Application data platform

Google Workspace

Identity and productivity

GitHub

Source control and development

Clerk / Google OAuth

Authentication

Railway / AWS-backed services

Infrastructure

Stripe

Payments

Resend

Transactional email

Slack / Linear

Internal communication and issue tracking

Contentful

Website content management

Security contact

For security questions, suspected issues, or customer security review requests, contact our team. Please avoid sending sensitive personal information unless requested through an approved support channel.

contact@extraordinary.comPrivacy Policy
Do great work in AMERICA.
Join extraordinary.
See if you qualify