Security overview
We describe practical controls we build around—not glossy certification badges we might not hold yet. If you need ISO 27001, SOC 2, or HIPAA BAA specifics, ask during procurement so we can map what is available today and what we plan next.
Transport and platform security
Traffic to our app uses HTTPS. Hosting and managed database providers apply their own physical and network controls—we select vendors with strong baseline programmes and document subprocessors in your DPA when you sign an enterprise agreement.
Tenant isolation (RLS)
Application data lives in Postgres with Row Level Security keyed to tenant membership. The intent is that users only read and write rows their organisation is allowed to see, enforced in the database—not only in app code.
Authentication
End users authenticate via Supabase Auth. Support multi-factor authentication through your identity settings where your policy requires it.
Secrets and server access
Service credentials (e.g. Stripe, Supabase service role) stay server-side. Never commit keys to the repo; use your host’s secret manager in production.
Backups and availability
Supabase projects include automated database backups on paid tiers—confirm retention and PITR in your project plan. Application uptime depends on your hosting provider’s SLA.
Your responsibilities
You control user provisioning, password policy, exports you download, and any custom integrations. Classify your data, run access reviews, and notify us when you suspect misuse.