How we protect your data

In transit: TLS 1.3 enforced at every ingress point. HTTP requests redirect to HTTPS. HSTS preloaded with 63072000s max-age, includeSubDomains, and preload directives.

At rest: Database storage is AES-256 encrypted at the disk layer by Supabase / AWS KMS. On top of that, sensitive PII (profile names, evidence file metadata, integration credentials) uses application-layer envelope encryption: each organization has its own Data Encryption Key (DEK), which is itself wrapped by a Master Encryption Key (MEK) held only in our application runtime. A database-only compromise yields ciphertext, not plaintext.

Key rotation: Tooling exists to rotate DEKs per-organization and the global MEK. Rotation re-wraps existing DEKs without re-encrypting application data, so rotations are fast and zero-downtime.

Password policy: 12-character minimum aligned to NIST SP 800-63B (length over complexity). No mandatory rotation, no character-class requirements, no password hints.

Multi-factor authentication: TOTP available for every account. Organization owners can enforce MFA for all members; non-compliant members are blocked from sign-in until they enroll. Backup recovery codes are hashed at rest; plaintext codes are shown once at generation and never persisted.

Session management: Cookie-based sessions with Secure, HttpOnly, SameSite=Lax flags. Refresh tokens rotate on every use. Native mobile sessions stored in hardware-backed keystores via expo-secure-store.

Role-based access: Five organization roles (Owner, Admin, Member, Auditor, Viewer) with distinct permission sets enforced at the API and database (Row-Level Security) layers. The full permission matrix is documented in our developer docs.

Administrative actions, role changes, tier changes, and sensitive operations write to an append-only audit log. Logs are retained for the lifetime of the organization and accessible via the in-app Activity Log (Enterprise tier) or via CSV export.

Application errors and security-relevant events are forwarded to Sentry with personal data sanitization. User identifiers are pseudonymized for issue correlation only.

Application runtime: Vercel (US-based edge + serverless functions, automatic global edge failover for static assets). Database, authentication, file storage, and edge functions: Supabase (US, AWS infrastructure). Both providers are SOC 2 Type II certified.

All services are bound behind authenticated endpoints. No direct database access from the public internet. Service-role credentials are scoped per-environment and never reach the client. Infrastructure-as-code via Vercel + Supabase migrations for reproducible environments.

Every response from the application carries strict security headers:

• Content-Security-Policy — default-src 'self', no inline scripts except hashed/nonced
• Strict-Transport-Security — 2-year max-age, preloaded
• X-Frame-Options: DENY — clickjacking protection
• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy — camera, microphone, geolocation, browsing-topics all denied

Verify the live header set yourself via securityheaders.com (currently grade A+).

File uploads: Evidence attachments enter a quarantine bucket and are scanned via VirusTotal before being promoted to the evidence bucket. Files that fail scanning are deleted immediately. Access is via short-lived signed URLs only.

Rate limiting: Per-user and per-IP limits on all API endpoints, backed by an Upstash Redis store. Distributed enforcement across edge regions; in-memory burst protection per isolate.

Input validation: Zod schemas at every API boundary. Sanitized error responses never leak personal data, tokens, or stack traces to clients.

Data minimization: We collect only what's necessary to deliver the Service. New data collection undergoes internal privacy review before shipping.

Subject rights: All users can export their personal data (JSON) and delete their accounts directly from the app. Account deletion has a 30-day soft-delete window followed by permanent removal from primary systems.

International transfers: Standard Contractual Clauses (2021 Module Two) referenced in our DPA cover transfers to non-EEA sub-processors.

Full Data Processing Agreement available at /legal/dpa. Privacy Policy at /privacy.

Notification: Customers will be notified without undue delay of any confirmed Personal Data Breach affecting their data, in accordance with GDPR Art. 33 / Art. 34 requirements (typically within 72 hours of awareness).

Coordinated disclosure: Security researchers can report vulnerabilities to security@ayliea.com. We aim to acknowledge within 1 business day. PGP key on request.

No bug bounty (yet): We don't operate a paid bug bounty program. We do publicly recognize researchers who report valid issues — see future Security Researcher Hall of Fame.

Database: Backup cadence is governed by our infrastructure sub-processor (Supabase). Our current plan tier does not include point-in-time recovery; upgrading to a tier with PITR is on our roadmap and will be announced when it lands. In the interim, we operate with the understanding that disaster recovery for arbitrary point-in-time restoration is not available.

Application code: Source repository hosted on GitHub with branch protection rules and required pull-request review. Production deployments are immutable and versioned; rollback to any previous deployment is a one-click operation in Vercel.

Application availability:Vercel's edge network serves static assets and API routes from the geographic edge nearest the user, with automatic regional failover. Database and auth are hosted in a single AWS region (US-East) with provider-managed within-region high availability.