Security Measures

A complete overview of our TOMs under Article 32 GDPR is available under NDA on request. The summary below covers the public-facing portions.

Encryption

• In transit: TLS 1.2+ for all external connections, enforced by Vercel's edge network
• At rest: AES-256 encryption in Supabase Postgres and Storage

Access control

• Role-based access control (RBAC) for customer administrators in the Cockpit
• Row-Level Security (RLS) in Supabase for tenant isolation
• Multi-factor authentication for all employee access (Vercel, Supabase, Upstash, GitHub)
• Principle of least privilege
• Audit logs of all administrative access at the subprocessor level

Network security

• Vercel WAF and DDoS protection at the edge
• Automated TLS certificate management
• IP-based rate limits via Upstash for critical endpoints
• Logging of security-relevant events via Vercel and Supabase

Application security

• Code reviews for all changes before merging into the main branch
• Static code analysis in the CI/CD pipeline
• Secure development practices aligned with the OWASP Top 10
• Separation of preview and production environments via Vercel

People

• Confidentiality obligations for all employees and contractors
• Mandatory security and data protection onboarding for new joiners
• Full-disk encryption mandatory on all company devices
• Password manager and MFA for all company and infrastructure tools

➡️ Related: Incident Response · Compliance & Certifications