Skip to main content
Security & Compliance

Trust Center

Security, compliance, and data protection are foundational to everything we build.

Last updated: March 2026

Infrastructure & Hosting

EU-hosted in Frankfurt (eu-central-1). Powered by Supabase (PostgreSQL) with Vercel Edge Network for global performance. All data stays within the European Union.

  • Region: EU (Frankfurt, eu-central-1)
  • Database: Supabase (PostgreSQL 15)
  • CDN: Vercel Edge Network (300+ PoPs)
  • Data residency: European Union

Data Encryption

TLS 1.3 for all data in transit. AES-256 encryption at rest for all database storage (Supabase default). No unencrypted data leaves our systems.

  • In transit: TLS 1.3 (HTTPS enforced)
  • At rest: AES-256 (Supabase default)
  • Backups: Encrypted, daily, 30-day retention
  • Key management: Provider-managed keys

Authentication & Identity

OAuth 2.0 with PKCE flow. SSO/SAML 2.0 for enterprise organizations (Roadmap Q3 2026). Multi-Factor Authentication (MFA) available for all accounts. Org-wide MFA enforcement for admins. All tokens hashed with SHA-256.

  • OAuth 2.0 with PKCE
  • SSO/SAML 2.0 (Roadmap Q3 2026)
  • MFA support (TOTP)
  • Org-wide MFA enforcement
  • SHA-256 token hashing

Access Control

Role-Based Access Control (RBAC) with 4 roles: Super Admin, Admin, Closer, Setter. Row-Level Security (RLS) enforced on all Supabase tables. Scope-based API keys with granular permissions.

  • 4 RBAC roles: Super Admin, Admin, Closer, Setter
  • Row-Level Security (RLS) on all tables
  • Scope-based API keys
  • Principle of least privilege

API Security

Rate limiting with fail-closed design. HMAC-SHA256 webhook signing for all outbound webhooks. SSRF protection on all server-side requests. All API endpoints require authentication.

  • Rate limiting (fail-closed)
  • HMAC-SHA256 webhook signing
  • SSRF protection
  • Authentication required on all endpoints

Privacy & Compliance

Fully GDPR compliant. Data Processing Agreement (DPA) available on request. Data Protection Impact Assessment (DPIA) completed for AI profiling features. 15 compliance documents maintained in our GDPR Center. Cookie consent with granular category controls.

  • GDPR / DSGVO compliant
  • DPA available on request
  • DPIA for AI profiling (Art. 35)
  • 15 compliance documents
  • Granular cookie consent

AI Data Handling

PII pseudonymization before any external AI processing. AI scoring opt-out available under GDPR Art. 22. Betriebsrat gate for German organizations deploying AI performance scoring. No personal data is used to train third-party AI models.

  • PII pseudonymization before AI processing
  • Art. 22 opt-out for AI scoring
  • Betriebsrat gate (German orgs)
  • No data used for third-party model training

Monitoring & Incident Response

Automated breach notification system (Art. 33-34 GDPR). Configurable data retention engine with automatic cleanup. Comprehensive audit logging for all sensitive operations. 72-hour breach notification tracking.

  • Breach notification (Art. 33-34)
  • Data retention engine with auto-cleanup
  • Audit logging for sensitive operations
  • 72-hour breach notification tracking

Compliance

GDPR

Compliant

Uptime, Backup & Business Continuity

Uptime SLA

99.9% Target

Vercel Edge Network with 300+ PoPs. Automatic failover and global CDN distribution. See our SLA for full details.

Backup Policy

Daily Encrypted

Automated daily backups with AES-256 encryption. 30-day retention period. Point-in-time recovery available on Enterprise plans.

Disaster Recovery

RTO < 4h

Multi-region infrastructure with automated recovery procedures. Recovery Time Objective under 4 hours. Recovery Point Objective under 1 hour.

Security Contact

For security inquiries, vulnerability reports, or to request compliance documentation:

security@isale.deals

iSale Deals Ltd., Dubai, UAE | Response within 48 hours

See also:

Privacy Policy & GDPRSLA