Trust & Security

What we do to protect customer data, and how to report a problem.

Last updated: 14 May 2026

Our posture in one paragraph

RegCheck360 runs on Vercel (Sydney edge) and Supabase Postgres (ap-southeast-2). All traffic is HTTPS-only with HSTS. Customer data is encrypted at rest. Authentication is handled by Supabase Auth with short-lived JWTs. Customer formula data is treated as confidential β€” it is never used to train models and is never shown to other customers or to manufacturers without an explicit action you initiate.

Hosting and data residency

  • Application: Vercel β€” Next.js runtime, edge functions, image optimisation. Production pinned to syd1.
  • Database: Supabase Postgres in ap-southeast-2 (Sydney). Daily managed backups.
  • File storage: Supabase Storage in the same region.
  • Email: Resend.
  • Payments: Stripe (we never touch card numbers β€” PCI scope is SAQ-A).
  • AI processing: Anthropic Messages API. Ingredient and formula text is sent on demand; nothing else.
  • Error monitoring: Sentry. Stack traces only; we do not capture request bodies by default.
  • Edge / DNS / bot mitigation: Cloudflare.

Transport security

  • TLS 1.2+ enforced via HSTS with max-age=63072000; includeSubDomains; preload.
  • Clickjacking protection: X-Frame-Options: DENY.
  • MIME-sniffing disabled: X-Content-Type-Options: nosniff.
  • Strict referrer policy: strict-origin-when-cross-origin.
  • Sensor APIs disabled: Permissions-Policy: camera=(), microphone=(), geolocation=().
  • Content-Security-Policy is being rolled out in Report-Only mode and will be enforced after observation.

Authentication

  • Email + password with bcrypt-equivalent hashing handled by Supabase Auth.
  • Short-lived JWT access tokens with refresh-token rotation.
  • Password reset flow is email-link based; reset tokens are single-use and expire quickly.
  • TOTP-based 2FA and SSO (Google Workspace, Microsoft Entra) are on the roadmap for the Team plan.

Data segregation and access control

  • Customer data is isolated by Supabase Row-Level Security policies tied to the authenticated user’s ID.
  • Admin queues (marketplace approvals, regulatory triage) sit behind a separate admin gate.
  • Service-role credentials are restricted to server-side functions and rotated when staff leave.

Customer formula data

We treat formulas you submit as commercially sensitive. They are stored encrypted at rest, access is role-gated, and they are never used to train AI models. If you delete your account we delete the associated formula records, except where we are legally required to retain a record (e.g. for tax purposes).

Backups and disaster recovery

  • Daily Supabase managed backups with point-in-time recovery on paid Supabase tiers.
  • Stateless application servers β€” restoring the database restores the service.
  • Regulatory data pipelines are idempotent and can be re-run against current TGA / FSANZ / ANVISA / NHPID sources at any time.

Monitoring

  • Sentry for application errors with severity-based alerts.
  • Uptime Kuma for external probe checks (status page at uptime.healthicons.ai/status/regcheck360).
  • A daily regulatory-pipeline digest that emails the admin if any scrubber fails or returns nothing.

Sub-processor list

The full list is in our Privacy Policy. We notify customers if we add a new sub-processor that handles personal information.

Compliance

  • Built to operate under the Australian Privacy Principles. Our breach response follows the Notifiable Data Breaches scheme.
  • Payments are handled by Stripe; we do not process or store card numbers, keeping our PCI scope at SAQ-A.
  • SOC 2 Type I observation is on the roadmap when our enterprise pipeline justifies the engagement. We do not currently claim a SOC 2, ISO 27001, or HIPAA attestation.

Reporting a vulnerability

We welcome coordinated disclosure. If you believe you have found a security issue:

  • Email security@regcheck360.com with details and a proof of concept.
  • Give us a reasonable window (90 days by default) before public disclosure.
  • Do not access data that is not your own, do not run automated scanners against authenticated endpoints, and do not affect service availability.
  • We will acknowledge your report within 24 hours and keep you updated through to resolution.

Machine-readable contact info is at /.well-known/security.txt.

For procurement teams

Need a vendor questionnaire filled out, a DPA signed, or a security walkthrough? Email sales@regcheck360.com and we will turn it around within a few business days.

Quick navigation

Jump to any tool or market check.