Security
Where your data sits, who touches it, how we keep it safe.
Plain-English disclosure of our infrastructure, sub-processors, and security practices. We update this page whenever the underlying setup changes; the last revision date is visible at the bottom.
Singapore-first data residency
Your primary database, file storage, and authentication all run in a Singapore datacentre on infrastructure we self-host and control. We don't replicate user content outside SG without your explicit consent.
Encryption everywhere
TLS 1.3 in transit on every public surface. AES-256 at rest for the database and file-storage layers. Auth tokens are signed JWTs with rotated keys.
Principle of least privilege
Application code uses scoped service tokens, not the master key. Engineering admin access is gated behind 2FA. Customer support can read account metadata, never user content.
Incident response
We commit to notifying affected customers within 72 hours of confirming a breach (aligned with PDPA and GDPR). Status page plus post-mortem within 14 days.
Sub-processors
Third parties who process customer data on our behalf. Each row links to that vendor's privacy policy. We notify customers 30 days before adding or replacing any sub-processor.
| Vendor | Purpose | Data category | Region |
|---|---|---|---|
| Supabase (self-hosted) | Primary database, auth, file storage | All user data, account metadata, content | Singapore |
| Stripe | Payment processing, subscription billing | Payment method, billing email, invoice history | Global / multiple |
| OpenRouter | AI model gateway | User prompts, generated text | United States |
| OpenAI | AI model provider | User prompts, generated text | United States |
| fal.ai | Image generation | Image prompts, generated images | United States |
| DataForSEO | Live keyword data + Top search results | Keywords entered (no personal data) | United States |
| Google APIs (Gmail / Calendar / OAuth) | Inbox, calendar sync, sign-in | Email metadata + content (connected accounts only) | Global / multiple |
| Google Analytics / Tag Manager (Google LLC) | Website + app usage analytics (only when analytics cookies are accepted) | Pageviews, events, device type, approximate location from IP — no content | Global / multiple |
| Meta APIs (Facebook / Instagram) | Social-media publishing (Facebook, Instagram) | Post content, posting account credentials | Global / multiple |
| LinkedIn API | Social-media publishing | Post content, posting account credentials | Global / multiple |
| Cloudflare Turnstile | CAPTCHA / bot protection | IP, browser fingerprint (transient) | Global / multiple |
| SMTP (self-hosted) | Transactional email | Email recipient + content | Singapore |
| Telegram Bot API (optional) | Optional notification channel | Notification content (only if enabled) | Global / multiple |
| Discord webhooks (optional) | Optional notification channel | Notification content (only if enabled) | Global / multiple |
Last reviewed 2026-05-02. Subscribe to the changelog (when it launches) to be notified of changes.
Data Processing Agreement
If your team needs a signed DPA before going live, email us and we'll send our template (PDPA + GDPR coverage). Most procurement reviews accept it as-is. Need redlines? Tell us what changes you need.
Found a vulnerability?
Email our security team directly. We acknowledge within one working day and run a coordinated disclosure timeline. We don't yet have a public bug-bounty program — that's a follow-up post-launch.
security@isolutionshub.com