EU (Frankfurt)
Default for UK and EU organisations. Supabase Postgres in `eu-central-1`. Workers run globally but data origin stays in-region. Sub-processors all EU-resident or under SCCs.
Security
How we keep your translations safe.
Compliance milestones, encryption, data residency, audit log, sub-processors, and how to disclose a vulnerability.
Where we are and where we're going.
| Standard | Status | Notes |
|---|---|---|
| GDPR Article 28 DPA | Live | Pre-signed, available at signup. Custom DPAs supported on Business+. |
| Sub-processor register | Live | Public; 30-day change notice to subscribers. |
| UK Cyber Essentials Plus | In progress | Targeting within 6 months of launch. |
| SOC 2 Type I | In progress | Year 1 — audited by Big-4 affiliate firm. |
| SOC 2 Type II | Planned | Year 2 — 12-month observation window starts post-Type-I. |
| ISO 27001 | Planned | Year 2 — staged with SOC 2 Type II. |
EU or US. Locked at signup.
US (Virginia)
For US-headquartered organisations. Supabase Postgres in `us-east-1`. Same product, separate database. No cross-region replication without explicit opt-in.
Singapore region planned for v1.1. Custom residency available on Enterprise.
In transit and at rest.
- · TLS 1.3 for every endpoint. HSTS preload-listed.
- · AES-256 at rest via Supabase-managed encryption.
- · AES-256-GCM envelope encryption for webhook secrets, API tokens, OAuth tokens.
- · Per-tenant encryption keys on Enterprise (BYOK supported).
- · Cloudflare R2 Object Lock for 90 days on backups.
- · Encrypted Postgres backups via Supabase PITR (7 days default, 28 days on Business+).
Who can do what.
- · Supabase Auth for email/password + magic links + OAuth (Google, GitHub).
- · WorkOS for SAML SSO on Business+ (Okta, Azure AD, OneLogin, Google Workspace).
- · SCIM 2.0 provisioning on Enterprise.
- · MFA available for all users; required for Enterprise admin actions.
- · Passkeys rolling out in v1.1.
- · Row-level security (RLS) at the database level — not application-level only.
Every state change. Queryable.
Every API call that changes state writes to an append-only audit log: actor, action, target, before/after, IP, user-agent, timestamp. Default retention is 24 months; 7 years on Enterprise. Export available as NDJSON or via webhook stream.
Point-in-time recovery + cold storage.
- · Supabase PITR — 7 days default, 28 days on Business+.
- · Daily Postgres dump to R2 with 90-day Object Lock — protects against ransomware on hot DB.
- · Annual restore drill — RTO <4 hours, RPO <5 minutes. Drill report available to Enterprise customers.
Who handles your data.
Live sub-processor register at /legal/sub-processors. 30-day change notice to subscribers via email and changelog.
Found something? Tell us.
Email security@paragraphs.co.uk with a clear repro and your preferred contact channel. We follow a 90-day coordinated disclosure timeline. We don't run a paid bounty yet — we credit researchers publicly with consent and we send swag.
Out of scope: social engineering, physical attacks, DDoS, automated scanning without an exploitable finding.
One PDF for procurement.
Email-gated download: GDPR DPA, sub-processor register, in-flight SOC 2 status, encryption posture, deployment options, and the standard procurement questionnaire pre-filled.
Request the trust packHave a procurement question we haven't answered?
Email security@paragraphs.co.uk and we'll reply within one business day.