Security & data protection
Your invoices, contracts, and client records are some of the most sensitive data in your business. Here’s how we protect them.
Where your data lives
- Database + file storage: Supabase (Frankfurt, EU). ISO 27001 + SOC 2 Type II certified.
- Email delivery: Brevo (EU).
- Payments: Razorpay (India). PCI DSS Level 1 certified.
- Error tracking: Sentry (EU). Personal identifiers are scrubbed before being sent.
- Analytics: PostHog (EU). Respects DNT, no PII in events.
- Customer support: handled first-party within Stackivo; we only see what you choose to send us.
Encryption
- In transit:TLS 1.2 or higher on every connection. HTTP → HTTPS redirects + HSTS.
- At rest: AES-256 encryption on the database and object storage layer (Supabase platform default).
- Passwords: bcrypt-hashed by Supabase Auth. We never see the plaintext.
Workspace isolation
Every row in our database carries a user_id. Postgres row-level security policies enforce that no authenticated user can ever read or write rows that don’t belong to their workspace. This is checked at the database layer, not in application code, so even a serious application-level bug cannot leak cross-tenant data.
Backups & durability
- Automated daily backups, retained for 7 days.
- Point-in-time recovery to any 5-minute window in the last 7 days.
- Database replicated across multiple availability zones.
- Object storage replicated within the EU region.
Authentication & session security
- Email + password (bcrypt) and Google OAuth.
- Multi-factor authentication (TOTP) available in account settings.
- HTTP-only, secure, SameSite session cookies.
- Automatic suspicious-login detection + email alert.
Compliance
- India DPDP Act 2023: we operate as your data fiduciary, with documented retention, export, and deletion rights. See privacy policy.
- GST records retention: tax-related records (e.g. GST invoices) are retained for 8 years per Indian law, even after account deletion, in anonymised form.
- Subprocessor list: the providers above are our only data processors. Material changes are notified at least 14 days in advance.
Your rights
- Export: one-click JSON export of every record you own, anytime.
- Delete: account closure soft-deletes immediately, permanent deletion after a 30-day recovery window.
- Correct: inline editing of any record. For identity / login data, email [email protected].
- Object: opt out of analytics any time via the account settings.
Incident response
If we ever experience a security incident affecting your data, we’ll notify you by email within 72 hours, with a clear description of what happened, what data was involved, and what we’re doing about it.
Reporting a vulnerability
Found a bug or potential vulnerability? Email [email protected]. We respond within 48 hours and credit responsible disclosures (with your permission) on this page.
Questions?
Anything else — reach us at [email protected] or via the contact page. We’ll happily provide a DPA, share infrastructure diagrams, or walk through our controls in detail.