Security & compliance.
Built to pass IT-sensitive accounts. GDPR native, strict EU hosting, Postgres RLS on 100% of tables.
Hosting
Primary
Supabase Frankfurt · eu-central-1
Replicas
Liège, Belgium · continuous sync
Zero non-EU
No Schrems II, no Cloud Act applicable
Sub-processors
Public list, 30-day notice before any addition
Authentication
- Email magic link — no password to memorize
- RS256-signed JWT sessions
- 30-min idle timeout, 2-min warning
- OAuth tokens encrypted via libsodium AEAD
Row-Level Security
All Postgres tables have strict RLS policies. No data accessible without valid authentication context. Queries are auto-scoped to user + event + organization.
Audit logs
- Event CRUD operations
- API keys, webhooks, personal data exports
- Retention 12 months (36 on Business)
GDPR — data subject rights
- Privacy center accessible 1 click from profile
- Granular consent — explicit opt-in
- Right to be forgotten under 30 days
- CSV/JSON export on demand
- Signable DPA included
Encryption
- TLS 1.3 on all connections, HSTS enabled
- AES-256 at-rest encryption (Supabase storage)
- libsodium for secrets and OAuth tokens
- Auto key rotation every 90 days