Security and data protection

Authentication

• Multi-factor authentication (email or authenticator app) required after signup
• Privileged platform roles (super admin, agency admin) must use MFA
• Password reset and session management via Supabase Auth

Encryption

• In transit: TLS 1.2+ for all connections
• At rest: Supabase encrypted storage; OAuth tokens encrypted server-side
• Secrets: API keys stored as hashes; no client-side token encryption

Access control

• Row Level Security (RLS) on all tenant data
• Role-based access: system, organization, and workspace levels
• Custom workspace roles with granular permissions

Key rotation

API keys and OAuth encryption keys are rotated on a documented schedule. Operations team follows the internal key rotation checklist.

Disaster recovery

Supabase point-in-time recovery and Fly.io redeployment. Target RTO: 4 hours; RPO: 1 hour for database.