Trust Center
Encryption
Last reviewed: 2026-05-25
This page describes how customer data is encrypted at three layers: at rest in the database and object storage, in transit on the wire, and in the application layer for PWA offline drafts.
At rest
- Database (Supabase managed Postgres, Sydney). Storage volumes are encrypted with AES-256 by the platform provider. Managed key rotation is handled by the platform.
- Object storage (Supabase Storage, Sydney). Server-side encryption is enabled by default. All buckets are private and access is mediated by signed URLs scoped to the requesting tenant via Row-Level Security.
- Audit-log mirror (AWS S3 Sydney with Object Lock). SSE-S3 (AES-256). Object Lock is configured in compliance mode with a 7-year retention period. The bucket has no public access, and write permission is held by a single mirror role with no delete capability.
- Backups. Supabase point-in-time recovery is enabled. Backups inherit the underlying storage encryption and remain in the Sydney region.
In transit
- External traffic. TLS 1.2 or above is enforced for every request to
compliancecare.com.auand to the authenticated app. HSTS is enabled with a one-year max-age andincludeSubDomains. - Internal traffic. Application-to-database traffic uses TLS through the Supabase connection pooler. Fly.io intra-machine traffic uses the platform's encrypted private network.
- Webhooks. Inbound webhooks (Stripe, e-signature, transactional email status) are verified by signature before any side-effect is taken.
Application layer — encrypted offline drafts (PWA)
The Pocket PWA supports offline drafting (incident-report draft, observation, photo capture) for frontline workers who lose connectivity. Offline drafts may contain participant information, and are written to IndexedDB on the device.
Design in force:
- AES-GCM with a 256-bit key. All draft objects are encrypted before being written to IndexedDB.
- Session-derived key. The encryption key is derived from the authenticated session and is held only in the in-memory page context. The key is not persisted to disk and is discarded when the session ends or the device is locked.
- Scoped Service Worker. The Service Worker scope is limited to the authenticated app origin and does not cache responses containing participant data.
- Server-enforced session timeout. A short session lifetime is enforced server-side. When the session expires, the key is no longer available, and existing encrypted drafts can no longer be opened on the device.
- One-click session revoke. A user (or their tenant admin) can revoke all sessions for an account, which immediately invalidates the key on every device.
- Post-upload removal. Photos taken offline are uploaded directly to Supabase Storage (Sydney, private, RLS-scoped). The browser-temp copy is removed from device storage as soon as the upload is confirmed.
Keys and secrets
- Managed encryption keys (Supabase, S3) are held by the platform provider and rotated on the provider's schedule.
- Application secrets (API keys, webhook signing secrets) are stored in Fly.io secrets and are not committed to the repository.
- Operator credentials require multi-factor authentication on every administrative role.
Algorithms we have chosen against
- We do not use roll-your-own encryption schemes. All algorithms are platform-provided (AES-256, TLS 1.2+) or use the Web Crypto API standard implementation (AES-GCM).
- We do not store any participant data in
localStorageor in unencrypted IndexedDB stores.
Change log
| Date | Change |
|---|---|
| 2026-05-25 | Initial publication. |
