Last updated:
This page describes the Technical and Organizational Measures (TOMs) we apply to protect your data.
1. Overview & principles
- Security by default and data minimization.
- Principle of least privilege and environment segmentation.
- Transparency: we publish our subprocessors and DPA.
2. Encryption
- In transit: TLS for all connections (HTTPS, modern cipher suites).
- At rest: platform‑level encryption for storage and backups, where applicable.
- Key management: centralized, access‑restricted, and audited.
3. Access management & authentication
- Roles and permissions with the principle of least privilege (RBAC).
- 2FA for administrator accounts; option to enable 2FA for clients.
- Sessions with limited lifetime, session‑fixation protection, token re‑issuance.
4. Segmentation & data isolation
- RLS/ACL policies in the database.
- Logical isolation of tenant data (multi‑tenant) with per‑request access checks.
- Separate environments: production / staging / development.
5. Infrastructure & network
- Hosting/DB/Auth/Storage on Supabase in the
eu-central-1region. - CDN/DNS/WAF via Cloudflare; L7 attack protection and rate limiting.
- Network segmentation, ingress/egress restrictions, minimal open ports.
6. Application security
- Prevention of XSS/CSRF/SQLi: framework sanitization, prepared statements, CSRF tokens.
- Security headers (CSP, HSTS, X‑Frame‑Options, X‑Content‑Type‑Options).
- Input validation and file‑upload size/type limits.
7. Dependencies & secrets
- Secret management in a provider vault with access rotation.
- Automated CVE monitoring in dependencies, scheduled updates.
- Code review, change control (CI/CD), artifact signing, immutable deploys.
8. Backup & recovery
- Regular database backups with restore verification.
- RPO/RTO targets defined by service requirements; restricted access to backups.
- Periodic test restores.
9. Logging & monitoring
- Access logs, system events, audit of administrative actions.
- Alerts on suspicious activity, health dashboards.
- Log retention typically up to 90 days (longer for investigations).
10. Vulnerability management & testing
- Periodic vulnerability scans of infrastructure and application.
- Unit/Integration/E2E tests of critical paths.
- Optional independent pentests for high‑impact releases.
11. Incident response
- Formalized process: identification → containment → eradication → recovery → post‑mortem.
- Notification of stakeholders without undue delay if an incident affects confidentiality/integrity/availability.
- Reporting channel: sec@cowculator.app.
12. Retention & deletion
- Account data: while the account is active + 30 days for technical completion of processes.
- Logs: typically 90 days (longer as needed for incident analysis).
- Calculator submissions: per client settings or 365 days by default.
13. Subprocessors & transfers
Our current subprocessors are listed at /subprocessors. For international transfers we apply appropriate safeguards (including SCCs); details are provided in the DPA and Privacy Policy.
14. Devices & personnel
- Company devices with full‑disk encryption and hardened access.
- Mandatory 2FA for critical services; periodic access reviews.
- Security awareness training and phishing simulations for the team.
15. Responsible disclosure
We welcome reports of potential vulnerabilities. Please email sec@cowculator.app with sufficient technical details to reproduce. We will acknowledge receipt, assess impact, and provide timelines for remediation.
16. Contacts & resources
- Privacy: privacy@cowculator.app
- Security/incidents: sec@cowculator.app
- Legal: legal@cowculator.app
