Trust Center

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use SSL with certificate verification.

All data is stored exclusively in EU data centers (Supabase EU region). We never transfer data outside the European Economic Area.

Bcrypt password hashing, optional TOTP two-factor authentication, session management with automatic expiry, and OAuth 2.0 PKCE flows for Google and Microsoft.

PostgreSQL RLS enabled on all 21 user-data tables, with FORCE RLS on the 5 most sensitive (encryption keys, SSO config, OAuth accounts, verification tokens, SAML assertions). The anonymous role has zero access — organisations can only see their own data.

Every compliance-related action is logged with before/after snapshots. Full audit trail across 20+ endpoints for evidence collection, with cross-tenant change-log diffs available to platform admins.

Every platform-admin action is recorded in an immutable activity log. Impersonation requires explicit start/end with the impersonator stamped on the session. Feature flags are scoped per organisation with rollout percentages.

Sentry release tracking, structured request logging, /health probes for DB and Redis, automated session cleanup, and 7 BullMQ background workers with a live admin queue dashboard.

Business tier customers can bring their own encryption keys for an additional layer of data protection and control.

Rate limiting (4 tiers), CSRF protection, XSS sanitization, security headers, and request logging on all API endpoints.

Data minimization, purpose limitation, right to erasure, data portability, and privacy by design throughout the platform.