Security

Multi-tenant isolation.
Audit-ready by default.

Row-level security in Postgres. Defense-in-depth on every admin query. Per-tenant secret encryption for API keys and webhook secrets. Real backups. SOC 2 Type II audit in 2026.

Multi-tenant isolation

RLS, every table, every query.

Postgres Row-Level Security. Every table has tenant_id NOT NULL. JWT-injected tenant context. SECURITY DEFINER functions. Defense-in-depth .eq('tenant_id', X) on every admin-client query.

Encryption

AES-256 at rest. TLS 1.3 in transit.

Per-tenant secret encryption for API keys, webhook secrets, OAuth tokens. Keys rotated on schedule. No tenant data in shared encryption envelopes.

Authentication

JWT. Short TTL. 2FA. SSO on Scale.

Supabase Auth. Short-TTL JWTs with refresh tokens. 2FA available. SAML / OIDC SSO for Scale customers, alongside audit log, approvals, and an SLA.

Backups

Hourly point-in-time recovery.

PITR with 30-day retention. Verified-restore tested monthly. Disaster recovery procedure documented and rehearsed.

Compliance roadmap

Honest about today.
Honest about 2026.

SOC 2 Type II in 2026 — audit in flight. GDPR-aware (DPA available, EU subprocessors listed). India DPDP-compliant. Data-export endpoint live. We don't fake-claim certifications we don't hold.

Subprocessors

Who we use.
Why.

Listed at /trust/subprocessors. Updated when changed.

Database

Supabase

Postgres + Auth + Storage

Payments

Stripe

Subscription + invoice payments

AWS SES

Transactional + marketing

Workers

Inngest

Durable background jobs

Hosting

Hetzner + Cloudflare

App + edge cache

Errors

Sentry

Application error tracking

Groq · OpenAI · Anthropic

BYOK — your bill, our routing

Voice

Whisper

100+ language transcription

Responsible disclosure

security@boldreach.io

PGP key on /trust/security-pgp. We respond within 24 hours.

Email security@ Trust center

Multi-tenant isolation.Audit-ready by default.