Security posture
The short-form summary a procurement reviewer or InfoSec team can skim before asking for the full pack. It names each control, points at the file or provider that enforces it, and is honest about what is not yet in place.
Data residency
Every stored row lives in a Supabase project provisioned in eu-west-2 (London). The app runs on Vercel in lhr1 (London). No customer data is processed outside the United Kingdom or the European Economic Area.
- Database region
- eu-west-2
- Application region
- lhr1
- Database host
- wyqbyfseuwqqadmfjvqg.supabase.co
London, hard coded in src/lib/trust.ts
Locked in vercel.json
Supabase project ref appears in the URL
Tenancy isolation
Every tenant scoped table has Row Level Security enabled and policies that filter on org_id. The org identifier lives in a JWT claim set at sign-in, not in application code. Cross tenant access is tested with pgTAP in supabase/tests/0001_tenancy_isolation.sql.
- Enforcement
- Postgres RLS
- Key tables
- orgs, workers, shifts, shift_scores, members, invites
- JWT claim
- org_id
Set by auth hook, see supabase/migrations/0003_auth_org_claim.sql
Authentication
Authentication is backed by Supabase Auth. Sessions are cookie based (HttpOnly, SameSite Lax, Secure on production). Passwords are never seen or stored by the application layer. Magic links use PKCE and expire quickly.
- Providers
- Email + password, email magic link
- Session store
- HttpOnly cookies, Supabase SSR
- Password hashing
- Supabase (bcrypt)
- 2FA
- Roadmap, not yet available
Encryption
Traffic between the browser, Vercel, and Supabase is encrypted end to end. Customer data at rest is encrypted by Supabase using industry standard algorithms. Secrets live in Vercel environment variables and are never committed to the repo.
- In transit
- TLS 1.2+ everywhere
- At rest
- Supabase managed AES-256
- Secrets
- Vercel env vars (encrypted, scoped per environment)
Access control, inside Rotapulse
Customer workspace access is scoped by role. Anything a Rotapulse operator does on behalf of a customer (resending invites, soft disabling a workspace) goes through a dedicated internal panel that writes an append only platform audit log. Workspace level actions additionally write per tenant audit events.
- Member roles
- owner, admin, member
- Platform staff
- owner, staff (audited)
- Admin panel
- /internal
Gated by requirePlatformStaff(), every action writes platform_audit_log
Backups and recovery
Database backups are provided by Supabase: automated daily snapshots and point in time recovery up to the retention window of the plan. For disaster recovery planning purposes, we design to an RPO of 24 hours and an RTO of 4 hours.
- Point in time recovery
- Supabase managed, up to 7 days
- Daily snapshots
- Supabase managed
- RPO
- <= 24 hours
- RTO target
- <= 4 hours
Observability and incident response
Runtime observability comes from Vercel and Supabase provider logs. For security disclosures, please email compliance@rotapulse.co.uk. We aim to acknowledge within one business day and to publish a post-incident write-up on /status for anything user visible.
- Runtime logs
- Vercel + Supabase logs
- Status page
- /status
- Security contact
- compliance@rotapulse.co.uk
PGP key available on request
Data subject rights
Under UK GDPR, customers retain rights over their data. Workspace owners can request a full export or deletion by emailing compliance@rotapulse.co.uk. Contractual terms are in the Data Processing Agreement.
- Export
- Workspace owner can request full export
- Deletion
- Workspace owner can request deletion
- DPA
- Available on /legal/dpa
Includes subprocessor list and breach notification terms