Exply
Start free →

Security

Security and privacy posture, explained plainly.

We treat security as an architectural property, not a checklist. Here's how we keep your data safe and your tenants isolated.

Tenant isolation

Every domain table has a tenant_id and a Postgres Row-Level Security policy. The application sets the tenant context per request; the database enforces it. If our app code forgets to scope a query, RLS returns zero rows. Cross-tenant access is impossible at the API layer regardless of any application bug.

EU residency by default

Postgres, file storage, email, and observability all configured to EU regions. Stripe is the only inevitable cross-region dependency, covered by Stripe's DPA. Residency is configurable per region as we expand.

Encryption

TLS 1.2+ on every connection with HSTS preload. Encryption at rest at the storage layer. Sensitive guest fields (passport, medical) additionally encrypted at the application layer with per-tenant keys.

Authentication

Magic-link by default. Optional password with Argon2id. 2FA for tenant Owners. Webhook endpoints verify signatures and idempotency. Card data never touches our servers — Stripe Elements / Checkout only.

Audit log

Every write logged with actor, timestamp, before/after where reasonable. User-visible activity timelines derive from the same source. Retention ≥ 12 months.

Backups & restore

Nightly Postgres dumps to a separate region with 30-day retention. Hourly WAL archiving for point-in-time recovery. Quarterly tested restore exercises — we restore to a fresh server and run smoke tests.

Platform admin elevation

Platform admins do not have silent god-mode reads. Access requires an explicit support session with a recorded reason and time-box. Tenant Owners see a feed of every elevation that touched their data.

What we don't do

We don't move tenant funds — Stripe Connect routes payments directly to your account. We don't share tenant data across tenants for analytics, training, or anything else. We don't sell data, ever.

Compliance

GDPR-ready, by construction.

DPA available to every tenant on request. Sub-processor list maintained and notified on changes. Data subject access and deletion requests fulfilled within statutory timeframes.

  • EU data residency
  • DPA available
  • Sub-processor list maintained
  • Right to access & deletion
  • Nightly off-region backups
  • PCI scope minimized via Stripe

Disclosure

Found a vulnerability? Tell us.

Email [email protected]. We answer fast. Our security.txt is at /.well-known/security.txt.

Stop being the bottleneck.

Start free. No card. Designed to replace the spreadsheet, the inbox, the DMs — not add another tab.

Start free