Trust & Security
Easy RFP is built for European MICE event planners and increasingly used by procurement teams at SME and mid-market companies. This page lists security commitments, certifications roadmap, and supporting documentation required by your vendor risk assessment process.
For your security questionnaire, please contact [email protected] with subject "Security questionnaire" — typical response time under 5 business days.
1. Data residency
Production data is hosted in the European Union:
- Database: Supabase Postgres in eu-central-1 (Frankfurt, Germany)
- Edge functions: Cloudflare Workers (global edge with EU primary)
- Static assets: Cloudflare Pages CDN (global edge)
- Email delivery: Resend (US-based with EU data residency option on enterprise plans)
- Backups: Cloudflare R2 in EU region (daily snapshots, 30-day retention, encrypted)
2. Encryption
- In transit: TLS 1.3 enforced site-wide (HSTS preload list, no fallback to HTTP)
- At rest: AES-256 (Supabase Postgres native encryption + Cloudflare R2 server-side encryption)
- Secrets management: Environment variables via Supabase secrets vault and Cloudflare Pages secrets (not in source control)
- Key rotation: API keys rotated quarterly; service role keys rotated on suspected compromise
3. Subprocessors
Easy RFP relies on the following subprocessors. Each has been evaluated for GDPR adequacy and security posture. Updates published with at least 30 days notice for material changes.
| Subprocessor | Purpose | Data location | GDPR basis |
|---|---|---|---|
| Supabase (supabase.com) | Database, authentication, storage, edge functions | EU (Frankfurt) | DPA + EU hosting |
| Cloudflare | CDN, DDoS protection, Pages, Workers, R2 backups | Global edge / EU R2 | DPA + Standard Contractual Clauses |
| Resend | Transactional email (magic-link, RFP outreach, notifications) | US (EU residency on enterprise tier) | DPA + SCC |
| Stripe | Payment processing, billing, customer portal | US/EU dual | DPA + SCC + PCI-DSS Level 1 |
| OpenAI | AI proposal parser (GPT-4o verifier) — zero data retention enabled | US | DPA + SCC + zero retention |
| Anthropic | AI proposal parser (Claude Sonnet primary) — zero data retention enabled | US | DPA + SCC + zero retention |
| PostHog | Product analytics (funnel events, no PII) | EU (eu.i.posthog.com) | DPA + EU hosting |
| Sentry | Error monitoring (no PII captured) | EU | DPA + EU hosting |
Subscribe to subprocessor change notifications: [email protected]
4. Certifications & audit roadmap
| Standard | Status | Target date |
|---|---|---|
| GDPR DPA | Available now | Download at /dpa/ |
| Cookie consent (EU) | Live | IAB TCF v2 compliant |
| SOC 2 Type II | Planned | Q1 2027 target audit window |
| ISO 27001 | Planned | H2 2027 (after SOC 2 foundation) |
| Penetration test | Annual cadence planned | First test Q3 2026 |
| PCI-DSS | Inherited via Stripe | No card data touches Easy RFP servers |
Honest disclosure: Easy RFP is a small-team SaaS in active growth. SOC 2 Type II and ISO 27001 are roadmap items, not current certifications. We share architecture diagrams, RLS policy review, and security questionnaire responses on request to support your interim risk assessment.
5. Authentication & access control
- Today: Magic-link email authentication (passwordless), session tokens with rotation
- Q3 2026: Optional 2FA via TOTP
- Q3 2026: SSO SAML 2.0 (Microsoft Entra ID, Okta, Google Workspace) for Team and Enterprise tiers
- Q4 2026: Role-based access control (RBAC) — Maker / Checker / Sponsor / Admin / Auditor with configurable thresholds
- Q4 2026: Maker-Checker approval workflow engine for high-value RFPs
6. Data isolation & row-level security
Every database table containing customer data is protected by Postgres Row-Level Security (RLS) policies. A user can only read or modify data belonging to their organization. RLS is enforced at the database level, not application level. RLS test suite runs in CI on every deploy.
7. Audit logs
- Captured today: User actions (login, logout, RFP create/update/submit, proposal updates), admin actions, billing events
- Retention: 24 months minimum (per GDPR Article 30)
- Access: Available to organization admins via /app/admin/audit/. Exportable to CSV/JSON on request.
- Q3 2026: Tamper-evident hash chain (each entry signed with sha256 of previous)
8. Incident response
- Status page: easyhotelrfp.com/status — public uptime monitor
- Customer notification: Material incidents reported within 72 hours per GDPR Article 33
- Founder direct line: [email protected] — escalation within 4 business hours for security-flagged subjects
- Postmortem: Published publicly for any incident affecting more than 5% of customers or lasting longer than 1 hour
9. Backup & disaster recovery
- Backup cadence: Daily full backups via pg_dump, stored in Cloudflare R2 EU region
- Retention: 30 days rolling + monthly archives held for 12 months
- RPO (Recovery Point Objective): 24 hours
- RTO (Recovery Time Objective): 4 hours for service restoration from cold backup
- Tested: Quarterly restore drills (next: Q3 2026)
10. Data portability & export
Customer data is yours. At any time:
- Export all RFP, proposal, and hotel data as CSV via /app/account/export (Q3 2026 — currently on request)
- Request full account deletion under GDPR Article 17 — completed within 30 days
- Receive structured machine-readable export (JSON) for migration to another vendor
11. Hotel-side data handling
Hotels respond to RFPs via magic-link (no account required). Hotels never pay Easy RFP — the planner is the only customer. Hotel data is processed under legitimate interest basis (Article 6(1)(f) GDPR) for B2B outreach. One-click unsubscribe per outreach email.
12. Vendor evaluation & security questionnaires
- Email [email protected] with the questionnaire attached (SIG, CAIQ, custom)
- Typical response: under 5 business days
- DPA signature: standard at /dpa/; custom DPA negotiable for Enterprise
13. Reporting a security issue
- Email [email protected] with subject "SECURITY"
- Acknowledged within 24 business hours
- Bug bounty program planned for H2 2026 once paid customer base reaches 50+
- Responsible disclosure appreciated; coordinated public disclosure timeline negotiated case-by-case
14. Compliance contacts
- Email: [email protected]
- Subject prefix: "SECURITY" / "GDPR" / "VENDOR ASSESSMENT" / "DPA"
- Response SLA: 24 business hours acknowledgment, full response within 5 business days
15. Data retention
Easy RFP retains operational data only for as long as necessary for the purpose collected, then anonymises or deletes it according to the schedule below. The retention periods reflect EU GDPR requirements and standard B2B SaaS practice.
- Audit logs: 6 years (financial-records standard, GDPR Art. 30; covers winner-declaration, rate adjudication, contract changes)
- Financial records (invoices, Stripe events, billing history): 6 years
- Active RFPs and proposals: full data retained while RFP is open
- Closed RFPs (winner declared or cancelled): 24 months, then anonymised (PII stripped, aggregate stats kept for benchmarks)
- Hotel proposals (received, not selected): 24 months
- Hotel directory entries (public business contact info): retained while data source remains current; refreshed quarterly
- Inactive user accounts (no login >24 months): account anonymised; PII stripped; you receive 30-day notice via email before anonymisation
- User-uploaded files (PDFs, images attached to RFPs): bound to parent RFP retention
- Email outbound logs (Resend send/open/click events): 12 months
- Suppression list (unsubscribed/bounced addresses): permanent (CAN-SPAM and GDPR compliance requirement)
- Backups: encrypted snapshots retained 30 days rolling, then expired
Right to erasure (GDPR Art. 17): you can request deletion at any time via [email protected] or in-app at /app/account/. We honour requests within 30 days. Note: financial records subject to legal retention obligations cannot be deleted before 6-year minimum elapses (this is disclosed at signup and in the DPA).
16. Rounding & precision policy
All monetary calculations follow IFRS rounding standards to ensure auditability and consistency with corporate finance systems.
- Method: half-up rounding (round-half-away-from-zero), applied to 2 decimal places
- Application level: line-item level, not aggregate. Example:
€5,432.567→€5,432.57(NOT€5,432.56) - Currency conversions: applied AFTER rounding at line-item level (no rounding compounding)
- Tax calculations: VAT/GST computed on rounded line items
- Reporting outputs (CSV, PDF, dashboards): consistent with internal calculations to the cent
- Audit trail: raw unrounded values retained in
raw_amount_centscolumn for forensic reconciliation if required
This policy aligns with IFRS, US GAAP, and most European corporate finance practice. If your organization requires a different rounding method (e.g., banker's rounding for specific tax jurisdictions), contact us — Enterprise plans can configure org-level overrides.
17. Change log
- 2026-05-04 (v2): Sections 15 (Data retention) and 16 (Rounding & precision policy) added.
- 2026-05-04 (v1): Trust center v1 published. Subprocessors disclosed. Certifications roadmap committed.
For Privacy Policy, see /privacy/ · For Terms of Service, see /terms/ · For Data Processing Addendum, see /dpa/