At rest — AES-256
Customer records (Postgres, object storage, backups) are encrypted at rest using AES-256 via our Supabase infrastructure. Encryption keys are managed by the platform; key rotation follows the upstream provider's published cadence.
We process financial records that audit firms must sign off on. Our security posture is built to satisfy that bar — encryption, India residency, deterministic audit trails, and a documented incident response window.
Customer records (Postgres, object storage, backups) are encrypted at rest using AES-256 via our Supabase infrastructure. Encryption keys are managed by the platform; key rotation follows the upstream provider's published cadence.
All client-to-server and service-to-service traffic uses TLS 1.3 with modern cipher suites. HTTP traffic is redirected to HTTPS. Strict-Transport-Security is enabled on production hosts.
Postgres, authentication, and object storage all run in the ap-south-1 (Mumbai) AWS region via our Supabase project. Backups are retained in the same region.
A small number of operational sub-processors (hosting edge, telemetry, DNS) may process data outside India. The full list, including data categories and regions, is published at /sub-processors.
We use Supabase Auth (email magic-link + OAuth providers) for sign-in. Every Postgres table is gated by Row-Level Security; cross-workspace reads are blocked at the database layer, not just the application layer.
Multi-factor authentication is on our roadmap for v1.1. We have a documented trigger to ship enforced MFA before the first enterprise customer goes live (see docs/operations/advisor-deferrals.md).
Roadmap
SOC 2 Type I and ISO 27001 are in assessment — target Q3 FY27. We do not yet hold these certifications. Enterprise customers can request our control mapping (CSA CAIQ-style) under NDA in the meantime.
We rely on Supabase's managed backups and point-in-time recovery. Our internal verification cadence and most recent restore drill are documented in docs/operations/backup-log.md.
Every state-changing API call writes an immutable row to audit_log. Auditors can reconstruct who did what, when, and against which snapshot. The audit log is append-only and replicated with the primary backup set.
Please email security@reyatech.com. We commit to: