Skip to main content

[ SECURITY & PRIVACY ]

Built for regulated teams.

Your regulatory data is protected with the same rigor you apply to your compliance programs. EU data residency, row-level isolation, and encryption at rest and in transit.

Encryption

  • AES-256 encryption at rest for all stored data and files
  • TLS 1.3 encryption in transit for all API communications
  • SHA-256 file integrity verification on every upload

Access Control

  • Organization-level data isolation with Row Level Security (RLS)
  • Role-based access control (Owner, Admin, Member, Viewer)
  • Multi-factor authentication (MFA) with brute-force protection
  • Session management with automatic expiry

Audit & Compliance

  • Immutable audit trail for all file operations (upload, download, delete)
  • Email delivery tracking and engagement logging
  • User activity monitoring with session attribution
  • Compliance-ready reporting for regulatory requirements

Data Residency

  • Primary data storage in UK and EU regions
  • Supabase infrastructure with SOC 2 Type II certification
  • Cloudflare edge network for global performance with EU data processing
  • No data transferred outside the EU unless explicitly configured

Data Retention & Deletion

  • Configurable data retention policies per organization (default: 365 days)
  • Automated retention enforcement with daily compliance checks
  • Right to deletion: complete data purge available on request
  • GDPR-compliant data subject access and portability

Payment Security

  • PCI DSS compliant payment processing via Stripe
  • No credit card data stored on our servers
  • Cryptographic webhook signature verification on all payment events
  • Automated payment failure handling with grace periods

Application Security

  • Input validation and sanitization on all user inputs
  • Cross-Site Scripting (XSS) protection with content sanitization
  • API rate limiting and brute-force protection
  • JWT-based authentication on all sensitive endpoints
  • Webhook signature verification (Stripe, third-party integrations)

Infrastructure

  • Cloudflare DDoS protection and Web Application Firewall
  • Automated SSL certificate management
  • Edge function isolation (each API runs in its own sandbox)
  • Database connection encryption and IP restrictions

Standards & Certifications

GDPR

EU General Data Protection Regulation compliant

SOC 2

SOC 2 Type II infrastructure via Supabase

PCI DSS

PCI DSS compliant payment processing (Stripe)

Security questions?

For security inquiries, vulnerability reports, or data protection requests, contact us directly.

Contact security team