Trust Center · Security
Security architecture
Defense in depth. Every layer assumes the layer above could be compromised.
Encryption
- At rest
- AES-256-GCM (AWS KMS managed via Supabase)
- In transit
- TLS 1.2+ with HSTS preload (max-age=63072000)
- Application layer
- Supabase Vault (XChaCha20-Poly1305) for sensitive secrets
- Key rotation
- 6 keys inventoried · 0 overdue
Identity & access
- Authentication
- Supabase Auth — magic link + TOTP MFA
- MFA enrollment (admin)
- 0 of —
- RBAC
- 5 roles enforced via RLS (customer, supplier, admin, gc, driver)
- SSO / SAML
- Available on Enterprise tier (Q4 2026)
- SCIM provisioning
- Available on Enterprise tier (Q1 2027)
- Failed-auth lockout
- 5 attempts / 15 min = lock + IP ban
- Quarterly access review
- Next due —
Data protection
- Row-level security
- Enabled on every public table; default-deny
- Data classification
- 0 PII columns tagged (0 restricted, 0 confidential)
- Audit immutability
- DB-level append-only + Merkle hash chain on admin actions (tamper-evident)
- Backup
- Daily Supabase PITR · heartbeat-verified · quarterly restore drills
- Data residency
- United States (us-east-1)
- Customer-managed keys (BYOK)
- On Enterprise tier roadmap (Q2 2027)
Application & network
- Content Security Policy
- strict-dynamic + per-request nonce + report-to
- Security headers
- HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin
- Rate limiting
- Sliding-window per-endpoint with X-RateLimit headers
- Honeypot trap
- 16 paths → auto-ban 7d on first hit
- Webhook verification
- HMAC-SHA256 (Stripe), HMAC-SHA1 (Twilio), secret-path (SendGrid)
- DDoS protection
- Vercel edge + Cloudflare upstream
Threat detection
- Prompt-injection sanitizer
- On every LLM-bound input + scraped evidence (sentinel-wrapped)
- GPS spoof gate
- Server-side velocity / accel / accuracy / teleport detection
- Trust score anomaly
- Velocity + score-pump triggers raise critical intervention cards
- RLS regression alert
- Nightly scan; new violations raise immediate alert
- Canary network
- Trip-wires across supplier listings + trust subjects
Vulnerability management
- Dependency scanning
- GitHub Dependabot + Snyk in CI
- Static analysis
- Semgrep + CodeQL in CI
- Secret scanning
- GitHub Advanced Security + pre-commit hooks
- SBOM generation
- CycloneDX on every release tag
- Penetration testing
- Annual third-party · next Q3 2026
- Vulnerability disclosure
- security.txt + VDP
Incident response
- Detection
- Real-time via security command center + Realtime push
- Classification
- SEV1–SEV4 with documented playbooks
- Customer notification SLA
- 72 hours from confirmed personal data breach
- Open incidents
- 0 · 0 critical
- Audit chain integrity
- verifiable Merkle proof
Last updated 2026-05-20.