Security & Privacy

Built to protect
your company's data.

De-Risk Matrix is built with security as a foundation — not an afterthought. We implement industry-standard safeguards at every layer.

Important: No system can guarantee complete protection against all hostile attacks. What we can guarantee is that we follow industry best practices, minimise risk at every layer, and respond swiftly if an incident occurs.
StripePCI DSS Level 1
SupabaseSOC 2 Type II
EUGDPR compliant
HTTPSTLS 1.2+ everywhere

How we protect your data

Technical details — and what they mean to you.

Security technicality
What it means to you
Row Level Security (RLS) enforced at database level
Only your team can see your data — not other customers, not us. Enforced inside the database itself, not just in the application.
TLS 1.2+ encryption in transit, AES-256 encryption at rest
Your data is encrypted on the way to our servers and while stored. Unreadable without the right keys — even with physical server access.
EU data residency — Frankfurt, Germany (Supabase EU West)
Your data never leaves the EU. Stored in Frankfurt, Germany. Compliant with GDPR and Norwegian personal data law.
Stripe PCI DSS Level 1 — payment processing
We never store your card details. Payments are handled by Stripe — the same infrastructure used by Amazon, Spotify and thousands of banks worldwide.
Bcrypt password hashing with salt
Your password is stored as a one-way hash. It cannot be reversed — not by attackers, and not by us.
Short-lived JWT session tokens with automatic expiry
Your login session expires automatically. No persistent tokens that can be quietly stolen and reused.
Supabase infrastructure — SOC 2 Type II certified
Our database provider is independently audited for security controls every year by a third-party auditor.
Secrets managed via Supabase Vault — never in source code
API keys and credentials are stored in a secure secret vault, not in the application code or version control.
CORS policy — API functions restricted to authorized origins only
Our server functions only accept requests from the De-Risk Matrix application. Requests from unknown domains are blocked at the API level before any logic runs.
Admin operations enforced at database level (PostgreSQL SECURITY DEFINER)
User management and company access changes require super-admin status verified inside the database — not just in the UI. An attacker who bypasses the interface still cannot execute admin operations.
Automated dependency vulnerability scanning (Snyk)
All software dependencies are continuously monitored for known vulnerabilities. Security patches are applied promptly when issues are discovered — not on a quarterly schedule.

Security questions or responsible disclosure

Found a vulnerability? Need a Data Processing Agreement (DPA)? Get in touch and we will respond as soon as possible.

post@deriskmatrix.com