/ trust
trust & security
tl;dr — whitelabel.dev runs on supabase + vercel with row-level security on every user table, libsodium-encrypted api keys, sentry-tracked errors on all three surfaces, daily backups, and a documented vulnerability disclosure policy. soc 2 type i prep starts q3 2026. one page. one source of truth for procurement reviews.
/01 security posture
- auth — supabase auth with email magic links and google oauth. pairing tokens for the extension rotate every 90 days. jwt bearer auth for mobile and api access.
- authorisation — postgres row level security on every user-data table. workspace member roles (owner / admin / member) enforced at the database layer plus a defense-in-depth check in the api.
- encryption in transit — tls 1.2+ everywhere, enforced by vercel and supabase.
- encryption at rest — supabase encrypts the postgres volume. user-supplied ai api keys live in supabase vault (libsodium aead) — never in a plaintext column.
- secret management — service-role keys and provider secrets live in vercel env vars. zero secrets committed to source control. secret detection runs in ci.
- session integrity — sign-out wipes all per-user local cache across web, extension, and mobile. user-change detection on every sign-in path prevents cross-account leakage on shared devices.
- rate limiting — two-layer: edge (vercel firewall) plus in-code per-user / per-token limits via upstash redis, tiered for auth, sync, and destructive operations.
- audit log — every security-relevant operation writes to an append-only audit table. users can read their own log.
/02 compliance status
- gdpr — right to erasure shipped via
/api/account-wipe. data processing addendum (dpa) template available on request. eu data residency planned for 2027 if eu enterprise interest materialises. - ccpa — same erasure endpoint covers the deletion right. no sale of personal information.
- soc 2 type i — preparation begins q3 2026. evidence collection via vanta / drata; audit window opens once controls are stable. target completion: q4 2026.
- soc 2 type ii — 12-month observation window after type i. target: 2027.
- hipaa baa — supabase supports baa on team plan. enabled on request when a healthcare customer engages.
- iso 27001 — deferred. soc 2 first.
/03 subprocessors
each holds some portion of customer data necessary for whitelabel.dev to operate. all are bound by their own dpa and security obligations.
| vendor | purpose | data held | region |
|---|---|---|---|
| supabase | database, auth, storage, realtime | all customer data | us-east-1 |
| vercel | web hosting + edge + serverless | request/response (transient) | global edge |
| upstash | rate-limit counters | per-user request counts (ephemeral) | us-east-1 |
| sentry | error tracking | stack traces, error metadata (pii-redacted) | us |
| resend | transactional email (invites, etc.) | recipient email, message body | us |
| anthropic | ai inference (when user supplies key) | prompts the user sends (per their own api key) | us |
| openai | ai inference (when user supplies key) | prompts the user sends (per their own api key) | us |
| oauth login, optional ai inference | oauth profile (email, name, photo) | global |
we update this list when vendors change. customers using whitelabel.dev for processing eu personal data should reference our dpa for the lawful-basis chain.
/04 reliability + uptime
- internal status page — status.whitelabel.dev. monitors core services every five minutes. flips public once we hit 30 consecutive days of > 99.5 % uptime.
- uptime target — 99.5 % for web + api in 2026, raising to 99.9 % once observability + on-call rotation are in place.
- backups — daily supabase backups, 5 retained. tier-1 restore drill completed 2026-05-19. point-in-time recovery (pitr) re-enabled before the first enterprise sla conversation.
- incident response — sentry alerts on error spikes; post-incident pillar in our internal production-readiness audit captures every learning back into the same checklist.
/05 vulnerability disclosure
security researchers: email security@whitelabel.dev. acknowledgement within 72 hours; full safe-harbour terms on our security & disclosure page. machine-readable contact is also published at /.well-known/security.txt (rfc 9116).
/06 data subject rights
- access — users can view all of their data via the live product; api endpoints expose per-table queries.
- erasure —
POST /api/account-wipedeletes all user-owned rows across every table. an audit row survives as a record of the request. - portability — json export endpoint planned for q4 2026.
- rectification — users can edit profile + workspace data directly in the product.
/07 contact
- security issues — security@whitelabel.dev
- privacy + dpa — privacy@whitelabel.dev
- general procurement — hello@whitelabel.dev
we respond to vendor security questionnaires (sig, caiq, custom rfps). expect a 72-hour turnaround for a first response.