Last reviewed 2026-05-28

Security at Easy RFP

Encryption at rest and in transit, EU data residency, pre-signed GDPR DPA, row-level security enforced at the database, and an honest disclosure of what we do not have yet (no SOC 2 report, no third-party pentest report — see §7).

At rest

AES-256 (Supabase / Postgres)

In transit

TLS 1.3 (Cloudflare edge)

Data residency

EU only (London + EU edge)

DPA

Pre-signed, downloadable

Row security

Postgres RLS, CI-enforced

SSO

Google Workspace OAuth (live)

1. Encryption at rest

Customer data is stored in Supabase-managed PostgreSQL clusters running in the EU. Disk volumes are encrypted with AES-256 by the Supabase platform — Easy RFP does not operate raw filesystems. Backups are encrypted with the same standard and held in Cloudflare R2 (EU bucket) with 30-day rolling retention plus 12 monthly archives.

Object storage (user-uploaded RFP attachments, PDFs, hotel proposals) lives in the Supabase Storage bucket, also AES-256 at rest. Signed URLs expire by default in 60 minutes; long-term download links are scoped per session and revocable from /app/account/.

2. Encryption in transit

All connections to easyhotelrfp.com, app.easyhotelrfp.com, and the Supabase data layer are forced over TLS 1.3. We do not accept TLS 1.0 or 1.1 — the Cloudflare edge rejects them with HTTP 526. HSTS is enabled with a one-year max-age and preload-list inclusion. You can verify the cipher suites at SSL Labs (target rating: A+ — last check 2026-05-15).

3. EU data residency

Primary data store is Supabase in the eu-west-2 (London, UK) region. The CDN/edge layer is Cloudflare with EU edge routing enforced for European traffic. No customer record is mirrored to a US region, no analytics replica is built on a US-resident database.

Sub-processors that are US-incorporated (Stripe, Resend, OpenAI, Anthropic) operate under Standard Contractual Clauses + a signed DPA, plus zero-data-retention configurations where available. See the full trust center subprocessor list for the complete table.

4. GDPR DPA — pre-signed, downloadable

Procurement teams ask for a Data Processing Addendum before signing. Ours is published, pre-signed by the founder, and ready to attach to your master agreement. No NDA, no sales-call gate.

Easy RFP GDPR DPA · v2.1 · May 2026

Article 28 GDPR · pre-signed · attach to your master agreement

Download PDF →

Custom redlines are negotiable for Enterprise accounts — email [email protected] with subject "Custom DPA" and we respond within 5 business days.

5. Row-level security (RLS)

Every table containing customer data is protected by Postgres RLS policies. A user can only read or modify rows owned by their organisation. RLS is enforced at the database — not at the application layer — so a bug in the API surface still cannot leak cross-tenant data.

RLS policy unit tests run in CI on every merge to main
Maker / Checker / Sponsor / Admin / Auditor roles enforced via Postgres app_role claim
RLS test suite covers cross-org isolation, RFP visibility, proposal authorship, billing scope
Schema and policy review is part of the pre-deploy gate (see /status/ for incident log)

6. Authentication, SSO, MFA

Method	Status	Available on
Magic-link email (passwordless)	Live	All plans
Google Workspace SSO (OAuth 2.0)	Live	All plans
MFA (TOTP, Google Authenticator / 1Password)	Available	All plans — opt-in at `/app/account/security`
SAML 2.0 SSO (Entra ID / Okta)	Q3 2026	Team + Enterprise (roadmap)
SCIM provisioning	Q4 2026	Enterprise (roadmap)

Sessions use rotating JWT tokens with 15-minute access lifetime + 7-day refresh. Idle sessions expire after 24 hours. Admins can force-revoke all sessions for a user from /app/admin/users.

7. SOC 2, ISO 27001, pentest — honest status

We are NOT yet SOC 2 Type II certified. No paid SaaS in our stage of growth pretends otherwise. Here is the real roadmap, with target dates we will publicly fail against if we miss them.

Standard	Status	Target
GDPR DPA	Available now	Pre-signed at /legal/dpa.pdf
SOC 2 Type II	Audit starts Q4 2026	Type I report by Q1 2027; Type II report by Q3 2027
ISO 27001	Planned	H2 2027 (after SOC 2 foundation)
Third-party penetration test	No report yet	First engagement Q3 2026 with EU-based firm; report shareable under NDA
PCI-DSS	Inherited via Stripe	No card data touches Easy RFP servers

In the interim we provide on request: architecture diagrams, RLS policy review, SIG-Lite responses, CAIQ v4 responses, and reference customers in regulated MICE buyers. Email [email protected].

8. Vulnerability management & patching

Automated dependency scanning via GitHub Dependabot — high-severity CVEs patched within 7 days, critical within 48 hours
Container base images rebuilt weekly; runtime images use Distroless where possible
Static analysis on every PR (CodeQL + ESLint security rules)
Secrets management via Cloudflare environment bindings — no .env in repo, no secrets in CI logs
Code review required on main for any change to auth, billing, or RLS policy

9. Backup, disaster recovery, RPO/RTO

Backup cadence: daily full pg_dump, encrypted, stored in Cloudflare R2 (EU)
Retention: 30 days rolling + 12 monthly archives
RPO: 24 hours
RTO: 4 hours to restore service from cold backup
Restore drills: quarterly (next: Q3 2026 — outcome published on the status page)

10. Audit logs & tamper evidence

Material user actions (login, RFP create/update/submit, proposal updates, billing events, admin role changes) are captured in an append-only audit log retained for 24 months minimum (GDPR Art. 30). Admins access the log at /app/admin/audit/. Exportable to CSV or JSON on request.

Tamper-evident hash chaining (each entry signed with SHA-256 of the previous record) is scheduled for Q3 2026.

11. Incident response

Public status page at /status/ and health probe at /api/health — we do not claim 99.99% without monitoring proof; the health endpoint is the proof
Material incidents notified to customers within 72 hours per GDPR Art. 33
Founder escalation within 4 business hours for security-tagged subjects
Public post-mortem for any incident affecting >5% of customers or lasting >1 hour

12. Reporting a security issue

Responsible disclosure: email [email protected] with subject "SECURITY". Acknowledged within 24 business hours. A formal bug-bounty programme launches H2 2026 once we cross 50 paid customers; until then we offer coordinated disclosure credit on this page.

13. Vendor & sub-processor list

The full table (provider, purpose, region, contractual basis) is maintained on the trust center. Short version: Supabase (EU London, UK), Cloudflare (EU edge), Stripe (PCI-DSS inherited), Resend (transactional email with zero retention), OpenAI + Anthropic (model providers with zero-retention configs), PostHog (EU analytics), Sentry (EU error monitoring).

14. Frequently asked (security)

Can we have your SIG-Lite / CAIQ / custom questionnaire response?

Yes — typical turnaround is 5 business days. Email [email protected] with the questionnaire attached.

Can we sign a custom DPA?

Yes for Team / Enterprise plans. The pre-signed standard at /legal/dpa.pdf covers most cases.

Where is hotel data stored?

Same EU Postgres cluster as planner data. Hotels respond to RFPs via magic-link without an account; their email and proposal payload live under planner-org RLS scope.

Do you train AI models on customer data?

No. Zero-retention contracts are in force with OpenAI and Anthropic; no prompt or completion is used for model training. Confirmed in the DPA addendum.

For the trust center (sub-processors, certifications roadmap, audit logs) see /trust/ · For the DPA see /legal/dpa.pdf · For privacy policy see /privacy/