Security
TL;DR: End-to-end encryption. RLS on every table. SOC 2 Type II within 12 months. Quarterly pen tests. 72-hour breach notification.
Infrastructure
- Hosting: Supabase (on AWS) — multi-AZ, automatic backups, point-in-time recovery
- Regions: Primary: AWS us-east-2 (Ohio). EU + Brazil regions available for Enterprise customers requiring data residency.
- CDN: Vercel / Cloudflare for static assets and edge caching
- DDoS protection: Cloudflare
Data security
- Encryption in transit: TLS 1.3 minimum. HSTS enforced. No mixed content.
- Encryption at rest: AES-256 for database, file storage, and backups.
- Secrets: stored in Supabase Vault (encrypted, only Edge Functions can read).
- API keys: rotatable per environment. Service-role keys never exposed to clients.
- Row-Level Security (RLS): every table has policies — users can only read/write their own data.
Access controls
- Password rules: minimum 8 chars, bcrypt-hashed
- MFA: TOTP-based, optional for Pro, required for Dealer Pro and Enterprise
- SSO: SAML 2.0 / OIDC for Enterprise (Okta, Azure AD, Google Workspace)
- Session management: 24-hour rolling sessions. Force logout on password change.
- Employee access: least-privilege. Background checks. SSO + MFA. Audit logged.
Application security
- OWASP Top 10 mitigations (CSP, XSS protection, CSRF tokens, SQL injection prevention via parameterized queries)
- Dependency scanning via GitHub Dependabot + Snyk
- SAST (static analysis) on every PR
- Secret scanning to prevent accidental commits of API keys
- No third-party trackers or pixels (see Cookies Policy)
Compliance & certifications
- SOC 2 Type I: in progress (target: Q3 2026)
- SOC 2 Type II: within 12 months of Type I
- GDPR / UK GDPR: compliant. EU representative appointed.
- LGPD (Brazil): compliant. DPO available for inquiries.
- CCPA / CPRA (California): compliant.
- TCPA (USA): built-in consent tracking and opt-out workflows.
- A2P 10DLC: Twilio toll-free verification process.
- HIPAA: not in scope (no PHI processed).
- PCI DSS: Stripe is PCI-DSS Level 1 certified; we never handle card data directly.
Operations
- Backups: Daily encrypted snapshots, retained 30 days. Point-in-time recovery up to 7 days.
- Monitoring: Sentry for errors, Plausible for usage, Supabase native logs for database.
- Incident response: 24/7 on-call rotation. Breach notification within 72 hours per GDPR Art. 33.
- Status page: status.auttiv.com (uptime, incidents, scheduled maintenance)
- Penetration testing: annually by reputable third party + quarterly internal scans
- Vulnerability disclosure: security@auttiv.com · responsible disclosure rewarded
Customer responsibilities
Even with all our controls, security is shared:
- Use a strong, unique password for Auttiv
- Enable MFA (especially for admin accounts)
- Don't share login credentials
- Log out from shared devices
- Review user access regularly (Dealer tier)
- Report suspicious activity to support@auttiv.com immediately
Bug bounty
We reward responsible disclosure. Email security@auttiv.com with:
- Reproduction steps
- Impact assessment
- Your contact info
Rewards range from $100 (low severity) to $5,000 (critical). We respond within 5 business days.
Contact
Security issues: security@auttiv.com
Audit requests (Enterprise): trust@auttiv.com
PGP key for sensitive reports: available on request