Security posture

Security at ProductionLens

We process financial records that audit firms must sign off on. Our security posture is built to satisfy that bar — encryption, India residency, deterministic audit trails, and a documented incident response window.

Encryption

Data is encrypted at rest and in transit.

At rest — AES-256

Customer records (Postgres, object storage, backups) are encrypted at rest using AES-256 via our Supabase infrastructure. Encryption keys are managed by the platform; key rotation follows the upstream provider's published cadence.

In transit — TLS 1.3

All client-to-server and service-to-service traffic uses TLS 1.3 with modern cipher suites. HTTP traffic is redirected to HTTPS. Strict-Transport-Security is enabled on production hosts.

Data residency

Primary data lives in India.

ap-south-1 (Mumbai)

Postgres, authentication, and object storage all run in the ap-south-1 (Mumbai) AWS region via our Supabase project. Backups are retained in the same region.

Sub-processors

A small number of operational sub-processors (hosting edge, telemetry, DNS) may process data outside India. The full list, including data categories and regions, is published at /sub-processors.

Authentication & authorisation

Identity, sessions, and access control.

Supabase Auth + RLS

We use Supabase Auth (email magic-link + OAuth providers) for sign-in. Every Postgres table is gated by Row-Level Security; cross-workspace reads are blocked at the database layer, not just the application layer.

MFA — deferred with trigger

Multi-factor authentication is on our roadmap for v1.1. We have a documented trigger to ship enforced MFA before the first enterprise customer goes live (see docs/operations/advisor-deferrals.md).

Compliance

Where we are on certifications.

SOC 2 / ISO 27001

Roadmap

SOC 2 Type I and ISO 27001 are in assessment — target Q3 FY27. We do not yet hold these certifications. Enterprise customers can request our control mapping (CSA CAIQ-style) under NDA in the meantime.

DPDP Act 2023 alignment

We are aligned to India's Digital Personal Data Protection Act, 2023. Our role is typically Data Processor for the production company / audit firm. See /privacy and /dpa for the contractual surface.

Backups & audit trail

Every mutation is traceable. Every snapshot is recoverable.

Backups & PITR

We rely on Supabase's managed backups and point-in-time recovery. Our internal verification cadence and most recent restore drill are documented in docs/operations/backup-log.md.

Audit log guarantee

Every state-changing API call writes an immutable row to audit_log. Auditors can reconstruct who did what, when, and against which snapshot. The audit log is append-only and replicated with the primary backup set.

Vulnerability disclosure & incident response

Report a security issue.

Please email security@reyatech.com. We commit to:

  • 4-hour acknowledgement of credible reports during business hours (IST).
  • 72-hour public post-mortem after material incidents impacting customer data integrity, availability, or confidentiality.
  • No legal action against researchers who follow responsible disclosure (no DoS, no data exfiltration beyond proof, give us 30 days before publication).
Information current as of 2026-05-21.