🔐 GetCimple Security Posture

What We Do (Day 1)

• Data Encryption: All data encrypted at rest via Supabase (AES-256)
• HTTPS Only: All traffic encrypted via Cloudflare SSL
• No Password Storage: Authentication handled by Kinde (OAuth/SAML)
• Secure File Storage: Customer files in isolated Supabase buckets
• API Security: All endpoints require valid JWT tokens
• Audit Logging: Every data access logged with timestamp/user
• Backup Strategy: Daily automated backups, 30-day retention

Australian Data Requirements

• Hosting Location: Sydney, Australia (Supabase region)
• Compliance: Privacy Act 1988, Notifiable Data Breaches scheme
• Data Sovereignty: All customer data remains in Australia
• Right to Access: Customers can export all data anytime
• Deletion Policy: Full deletion within 30 days of request

Access Control

• Admin Users: 2FA required (via Kinde)
• API Keys: Scoped, rotatable, audited
• Database: Row-level security on all tables
• Support Access: No production access without customer consent

What We Monitor

• Failed login attempts
• API rate limits (1000 req/hour)
• File upload sizes (100MB max)
• Unusual access patterns
• System health metrics

Incident Response

1. Detection: Automated alerts via Cloudflare
2. Assessment: Severity classification (15 min)
3. Containment: Isolate affected systems
4. Communication: Notify affected customers
5. Recovery: Restore from backups if needed

What We Don't Do Yet

• SOC 2 certification (Year 2 goal)
• Penetration testing (After 50 customers)
• Bug bounty program (Post-revenue)
• Advanced DLP (Future enhancement)
• SIEM integration (Enterprise feature)

Security Contact

Email: security@getcimple.com Response Time: Critical: 2 hours, Other: 24 hours

Customer Responsibilities

• Secure their own devices
• Manage their user access
• Report suspicious activity
• Keep contact info updated
• Review audit logs monthly