Trust centre

Platform security, data handling, compliance, and sub-processors.

Trust centre

Last updated: 2026-04-22

We build a security product, so we take our own security seriously. This page summarises what we do and how to verify it.

Platform security

  • TLS everywhere. TLS 1.2 minimum, 1.3 preferred. HSTS preloaded. Weekly scan for weak ciphers.
  • Authentication. Supabase Auth with bcrypt-hashed passwords, optional TOTP, and social providers (Google, Microsoft).
  • Authorisation. Role-based within organisations; platform admin actions require a separate admin session on a different subdomain.
  • Secrets. All API keys for integrations are AES-256 encrypted at rest with per-tenant keys. Platform secrets are stored in AWS Secrets Manager / Fly.io Secrets, never in code.

Data handling

  • Storage. Primary region: EU (Frankfurt). US region available on request for US-based customers.
  • Retention. Scan data retained for the life of the subscription plus 90 days. Account data purged within 30 days of deletion. Billing records retained 7 years.
  • Export. Full data export is available from the dashboard or on written request.

Compliance

  • GDPR / UK GDPR / UAE PDPL — compliant by design; DPA available.
  • SOC 2 Type II — assessment begins Q3 2026, target completion Q1 2027.
  • PCI DSS — we do not store card data; Stripe handles the PCI-relevant scope.

Vulnerability disclosure

We run a coordinated disclosure programme. Email [email protected] with findings; PGP key on request. We aim to triage within 3 business days and will recognise researchers publicly (with permission) in our hall of fame.

Uptime and incidents

  • Status page: status.yourdomain.com.
  • Target uptime: 99.9% monthly. Rolling 12-month uptime is published.
  • Incident history: every P1/P2 incident is followed by a public post-mortem within 7 days.

Sub-processors

The current list is maintained on our Privacy Policy. Notable entries:

  • Supabase — database + auth + storage (EU primary)
  • Stripe — payments (global)
  • Brevo — transactional email (EU)
  • Cloudflare — CDN + DDoS (global)
  • Upstash — Redis queue + cache (EU/US)
  • Anthropic / OpenRouter — AI explanations (inputs not used for training)

Hiring

Every employee signs a confidentiality and information-security agreement. Engineering access to production is limited to on-call staff and gated by break-glass audit logging.