Security

100% of compliance data stays in the European Union. Application servers run on Vercel Frankfurt (fra1). Database and file storage run on Supabase EU (Frankfurt). No user data is ever processed outside the EU.

All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256 by Supabase. Evidence files are stored in private Supabase Storage buckets, accessible only via time-limited signed URLs (5-minute TTL).

Every database table that contains tenant data enforces Row Level Security (RLS) at the database level. The tenant ID is always extracted from the authenticated JWT claim — never from the request body. Cross-tenant data access is structurally impossible.

Three-role RBAC model: org:admin, org:contributor, org:viewer. Every API route validates the JWT role before executing any business logic. Multi-factor authentication (TOTP) is available for all users with hashed backup codes.

An immutable audit trail records all significant actions: logins, control changes, evidence uploads, billing events, and user management. Tenant data is INSERT-only — no tenant can modify or delete audit records. A platform-level retention job automatically archives records older than 24 months and permanently purges them after 5 years (GDPR Art. 5(1)(e)).

Login attempts are rate-limited to 5 per IP per 15 minutes. Registration is limited to 3 per IP per hour. Limits are enforced via Upstash Redis (EU region) at the edge, before any application code runs.