Security Architecture

Enterprise-grade protection.

⛨

Infrastructure Security

✓Hosted on Vercel and Supabase with SOC 2 Type II certification
✓All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
✓Database-level row-level security (RLS) policies enforce tenant isolation
✓Automated daily backups with point-in-time recovery
✓HSTS preload with 1-year max-age, includeSubDomains

⬢

Access Control

✓Role-based access control (RBAC) with organisation-level scoping
✓Multi-factor authentication enforced platform-wide (TOTP, AAL2)
✓Session tokens in httpOnly secure cookies (not localStorage)
✓Per-IP rate limiting across all routes (auth, API, upload)
✓Comprehensive audit trail for all read, write, and admin operations

▣

Data Privacy

✓Security-by-design and privacy-by-design architecture from first principles
✓No cross-tenant data access or analytics
✓Data processing limited to platform functionality
✓Full data portability -- your compliance records can be exported or migrated at any time
✓Account deletion and data purge workflows with full audit trail

◇

Application Security

✓Input validation and parameterised queries throughout
✓Content Security Policy, CSRF protection, and OWASP security headers
✓File upload validation: MIME type, extension, size limit, magic byte verification
✓Per-IP sliding window rate limiting with category-specific thresholds
✓Dependency scanning and vulnerability monitoring

Trust Principles

Honest about what we do.

Your data belongs to you

Priventia processes your compliance data solely to deliver platform functionality. We do not train models on your data, share it with third parties, or use it for analytics beyond what you see in your own dashboard. Your corporate data always belongs to your organisation, and you decide what happens to it.

Transparency over marketing

We do not claim certifications we do not hold. Where third-party infrastructure providers hold certifications (e.g. SOC 2), we state that clearly. Our own security posture is described honestly.

Minimal data collection

Priventia collects only the data necessary to deliver compliance management functionality. We do not use tracking pixels, sell data, or collect analytics beyond essential platform telemetry.

Practitioner accountability

Priventia is built by a compliance practitioner who understands data protection obligations from the inside. The same standards we help organisations meet are the standards we apply to our own operations.

Data Handling

How we handle your data.

🔒

Encrypted everywhere

AES-256 at rest, TLS 1.2+ in transit. Your compliance data is encrypted at every stage, from browser to database.

🛡

Tenant isolation

Row-level security policies ensure complete data isolation between organisations. No cross-tenant access, regardless of query origin.

📦

Data portability

Your compliance records belong to your organisation. Export or migrate your data at any time -- full portability is built in.

🗑

Data deletion

Full account deletion and data purge workflows. Request deletion of all organisation data with a complete audit trail.

💾

Backup & recovery

Automated daily encrypted backups with point-in-time recovery. RPO: 24 hours. RTO: 4 hours.

🔍

Security monitoring

Real-time monitoring for failed login spikes, rate limit breaches, privilege changes, and suspicious activity patterns.

Sub-processors

Third parties that process your data.

Priventia uses a limited number of sub-processors to deliver platform functionality. Each is selected for its security posture and, where available, EU hosting region. We will notify customers of any changes to this list.

Sub-processor	Purpose	Data location	Certifications
Supabase	Database, authentication, row-level security	AWS eu-west-1 (Ireland) *	SOC 2 Type II
Vercel	Application hosting, edge network, serverless functions	Global CDN; compute configurable to EU	SOC 2 Type II
Sentry	Error monitoring and application performance	EU (Frankfurt)	SOC 2 Type II
Google Workspace	Business email, customer communication	EU (Netherlands)	SOC 2 Type II ISO 27001
Google Fonts	Web font delivery (Playfair Display, Inter)	Global CDN	--

* Confirm your Supabase project region in your dashboard under Project Settings. EU hosting (Ireland or Frankfurt) is available and recommended for EU-based organisations.

Encryption & Secrets

Defence in depth.

Priventia implements layered encryption and strict secrets management aligned with ISO 27001 A.8.24 and SOC 2 CC6.7.

Encryption in Transit

✓TLS 1.2+ on all client-server communication
✓HSTS preload (max-age 1 year, includeSubDomains)
✓Supabase enforces TLS for all database connections

Encryption at Rest

✓AES-256 encryption on all database storage (Supabase-managed)
✓Uploaded evidence files encrypted at rest in Supabase Storage
✓Automated encrypted daily backups

Secrets Management

✓No secrets stored in source code or version control
✓Environment variables via Vercel Secrets (encrypted, scoped per environment)
✓Service role key used only in server-side API routes, never exposed to client
✓Periodic key rotation policy for all service credentials

Compliance Alignment

Standards we build to.

Priventia is designed with ISO 27001:2022 and SOC 2 Type I trust criteria as architectural requirements, not afterthoughts.

Control Area	ISO 27001	SOC 2	Implementation
Authentication	A.8.5	CC6.1	Supabase Auth + TOTP MFA (AAL2 enforced)
Session Security	A.8.5	CC6.1	httpOnly cookies via @supabase/ssr
Access Control	A.9.4	CC6.1	RBAC with role hierarchy, RLS
Tenant Isolation	A.8.22	CC6.3	PostgreSQL row-level security policies
Audit Logging	A.8.15	CC7.2	DB triggers + API-level logging (21 tables)
Log Retention	A.8.15	CC7.2	365-day retention, critical logs exempt from purge
Rate Limiting	A.8.20	CC6.6	Per-IP sliding window by route category
File Security	A.8.10	CC6.7	MIME validation, size limits, magic byte checks
Transport Security	A.8.24	CC6.7	TLS 1.2+ with HSTS preload
Security Headers	A.8.20	CC6.6	OWASP recommended headers on all responses
Data Deletion	A.8.10	CC6.5	Account deletion, data export, GDPR Article 17
Privileged Access	A.8.2	CC6.1	Impersonation tracking with full audit trail

About
About Priventia
Our Approach
Security & Trust
Platform
Modules
Capabilities
How Priventia Works
Advisory Network
Insights
Regulatory Changes
Articles
Pricing
Contact

Request Early Access Sign In

Security & Trust

Your compliance data,
protected.

Priventia is built with security-by-design and privacy-by-design principles at every layer. The same standards we help organisations achieve are the standards we hold ourselves to.

Security Architecture

Enterprise-grade protection.

⛨

Infrastructure Security

✓Hosted on Vercel and Supabase with SOC 2 Type II certification
✓All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
✓Database-level row-level security (RLS) policies enforce tenant isolation
✓Automated daily backups with point-in-time recovery
✓HSTS preload with 1-year max-age, includeSubDomains

⬢

Access Control

✓Role-based access control (RBAC) with organisation-level scoping
✓Multi-factor authentication enforced platform-wide (TOTP, AAL2)
✓Session tokens in httpOnly secure cookies (not localStorage)
✓Per-IP rate limiting across all routes (auth, API, upload)
✓Comprehensive audit trail for all read, write, and admin operations

▣

Data Privacy

✓Security-by-design and privacy-by-design architecture from first principles
✓No cross-tenant data access or analytics
✓Data processing limited to platform functionality
✓Full data portability -- your compliance records can be exported or migrated at any time
✓Account deletion and data purge workflows with full audit trail

◇

Application Security

✓Input validation and parameterised queries throughout
✓Content Security Policy, CSRF protection, and OWASP security headers
✓File upload validation: MIME type, extension, size limit, magic byte verification
✓Per-IP sliding window rate limiting with category-specific thresholds
✓Dependency scanning and vulnerability monitoring

Trust Principles

Honest about what we do.

Your data belongs to you

Transparency over marketing

We do not claim certifications we do not hold. Where third-party infrastructure providers hold certifications (e.g. SOC 2), we state that clearly. Our own security posture is described honestly.

Minimal data collection

Priventia collects only the data necessary to deliver compliance management functionality. We do not use tracking pixels, sell data, or collect analytics beyond essential platform telemetry.

Practitioner accountability

Data Handling

How we handle your data.

🔒

Encrypted everywhere

AES-256 at rest, TLS 1.2+ in transit. Your compliance data is encrypted at every stage, from browser to database.

🛡

Tenant isolation

Row-level security policies ensure complete data isolation between organisations. No cross-tenant access, regardless of query origin.

📦

Data portability

Your compliance records belong to your organisation. Export or migrate your data at any time -- full portability is built in.

🗑

Data deletion

Full account deletion and data purge workflows. Request deletion of all organisation data with a complete audit trail.

💾

Backup & recovery

Automated daily encrypted backups with point-in-time recovery. RPO: 24 hours. RTO: 4 hours.

🔍

Security monitoring

Real-time monitoring for failed login spikes, rate limit breaches, privilege changes, and suspicious activity patterns.

Sub-processors

Third parties that process your data.

Sub-processor	Purpose	Data location	Certifications
Supabase	Database, authentication, row-level security	AWS eu-west-1 (Ireland) *	SOC 2 Type II
Vercel	Application hosting, edge network, serverless functions	Global CDN; compute configurable to EU	SOC 2 Type II
Sentry	Error monitoring and application performance	EU (Frankfurt)	SOC 2 Type II
Google Workspace	Business email, customer communication	EU (Netherlands)	SOC 2 Type II ISO 27001
Google Fonts	Web font delivery (Playfair Display, Inter)	Global CDN	--

* Confirm your Supabase project region in your dashboard under Project Settings. EU hosting (Ireland or Frankfurt) is available and recommended for EU-based organisations.

Encryption & Secrets

Defence in depth.

Priventia implements layered encryption and strict secrets management aligned with ISO 27001 A.8.24 and SOC 2 CC6.7.

Encryption in Transit

✓TLS 1.2+ on all client-server communication
✓HSTS preload (max-age 1 year, includeSubDomains)
✓Supabase enforces TLS for all database connections

Encryption at Rest

✓AES-256 encryption on all database storage (Supabase-managed)
✓Uploaded evidence files encrypted at rest in Supabase Storage
✓Automated encrypted daily backups

Secrets Management

✓No secrets stored in source code or version control
✓Environment variables via Vercel Secrets (encrypted, scoped per environment)
✓Service role key used only in server-side API routes, never exposed to client
✓Periodic key rotation policy for all service credentials

Compliance Alignment

Standards we build to.

Priventia is designed with ISO 27001:2022 and SOC 2 Type I trust criteria as architectural requirements, not afterthoughts.

Control Area	ISO 27001	SOC 2	Implementation
Authentication	A.8.5	CC6.1	Supabase Auth + TOTP MFA (AAL2 enforced)
Session Security	A.8.5	CC6.1	httpOnly cookies via @supabase/ssr
Access Control	A.9.4	CC6.1	RBAC with role hierarchy, RLS
Tenant Isolation	A.8.22	CC6.3	PostgreSQL row-level security policies
Audit Logging	A.8.15	CC7.2	DB triggers + API-level logging (21 tables)
Log Retention	A.8.15	CC7.2	365-day retention, critical logs exempt from purge
Rate Limiting	A.8.20	CC6.6	Per-IP sliding window by route category
File Security	A.8.10	CC6.7	MIME validation, size limits, magic byte checks
Transport Security	A.8.24	CC6.7	TLS 1.2+ with HSTS preload
Security Headers	A.8.20	CC6.6	OWASP recommended headers on all responses
Data Deletion	A.8.10	CC6.5	Account deletion, data export, GDPR Article 17
Privileged Access	A.8.2	CC6.1	Impersonation tracking with full audit trail

Questions about security?

We are happy to discuss our security architecture, data handling practices, or any specific requirements your organisation may have.

Get in Touch Request a Demo

Your compliance data,protected.

Enterprise-grade protection.

Honest about what we do.

How we handle your data.

Third parties that process your data.

Defence in depth.

Standards we build to.

Questions about security?

Your compliance data,protected.

Enterprise-grade protection.

Honest about what we do.

How we handle your data.

Third parties that process your data.

Defence in depth.

Standards we build to.

Questions about security?

Your compliance data,
protected.

Your compliance data,
protected.