Security & trust.
Data isolation
Every tenant's data lives in its own row-level-security-scoped Postgres tables. A bug in application code cannot leak data across tenants — the database enforces isolation independently.
Authentication
Auth is handled by Supabase Auth (email/password + Google OAuth). Passwords hashed with bcrypt. Sessions use signed JWTs with short expiry and silent refresh.
Credential storage
API keys for connected platforms (Neon, MadinaApps, MyMasjidHub) are encrypted at rest and decrypted only inside ingestion workers. Keys are never exposed to the browser or logged.
Backups
Daily Postgres backups with 7-day point-in-time recovery. Raw CSVs retained in tenant-scoped storage for audit. Customer can request full export at any time.
Compliance roadmap
SOC 2 Type 1 attestation is planned for Q4 of our first year of operation. In the meantime, we publish our security practices publicly and sign a Data Processing Agreement on request.
Incident response
We commit to notifying affected customers within 72 hours of confirming a data breach, per GDPR-aligned best practice. No GDPR data is currently processed, but we apply the same standard.