TradeShield
Home

Security

This page describes the current security controls. It is maintained by the TradeShield operator.

Encryption

  • AES-256 — data encryption at rest
  • TLS 1.3 — encryption in transit
  • Passwords — bcrypt with salt (Supabase Auth)
  • API secrets — stored in Supabase Vault, not in source code

Infrastructure

  • Server location: European Union (Frankfurt, Germany)
  • Provider: Supabase (Postgres, Auth, Storage, Edge Functions)
  • CDN and edge: Cloudflare
  • Automated database backups (daily, 7-day retention)

Access control

  • RLS (Row Level Security) — every business table has access policies
  • RBAC — 4 roles: admin, compliance_officer, operator, viewer
  • Organization isolation (multi-tenant) — company A data is invisible to company B
  • Security definer functions — access helpers preventing RLS recursion

Audit & compliance

  • Immutable audit log — who, what, when (account, IP, user agent)
  • Right to data export — JSON of all organization data
  • Right to erasure (GDPR) — account deletion + 30-day grace period
  • Controls aligned with ISO/IEC 27001 Annex A (A.5–A.18)

Shared security responsibility model

The service operates under a shared responsibility model.

Operator's responsibilities

  • Securing application infrastructure
  • Maintaining system-level security controls
  • Implementing reasonable technical safeguards
  • Protecting data stored within the platform under the Operator's control

User's responsibilities

  • Keeping credentials confidential
  • Restricting account access within the organization
  • Ensuring only authorized personnel access the Service
  • Implementing internal security policies for using the Service
  • Verifying and validating any data uploaded before submission

Data protection — recommendations

The Operator recommends that users implement appropriate internal security measures, including:

  • Access control policies in the organization
  • Secure password management
  • Internal authorization procedures for uploading sensitive data

The Operator is not responsible for security breaches caused by: compromised user credentials, unauthorized internal access within the User's organization, or improper handling of credentials by the User.

Data loss disclaimer

The Operator is not responsible for data loss resulting from: user error, improper use of the Service, or unauthorized access due to compromised user credentials.

Note: TradeShield does not hold an ISO/IEC 27001 certificate. The platform implements technical controls aligned with the standard, but full certification requires an external audit by an accredited body.