How Cybool secures the Platform

Architecture + isolation

• Multi-tenant SaaS. One Postgres database; per-Partner + per-Client tenants enforced by Row-Level Security policies on every business table.
• Tenant isolation testing. A cross-tenant leak suite runs on every commit (covers Sprint 1 + every Sprint 2 module: TPRM, ASM, Insurance, Policies, Subscriptions).
• RLS-first. Every server action runs under the user's JWT first; service-role is used only for cron jobs and admin-only mutations after explicit super_admin checks.
• PII encryption at rest. Vendor + invite + CAP contact email/name columns are pgcrypto-encrypted with a key never stored in the database (env-only). Service-role bypasses RLS but cannot decrypt without the key.

Hosting + residency

• Application: Vercel (eu-central-1 region pinned).
• Database: Supabase Postgres 17.6 (EU West region).
• Object storage: Supabase Storage (same region as DB).
• AI inference: Anthropic Claude — selectable EU data-residency under Anthropic's standard data-processing terms.

Backups + DR

• Daily logical backup via pg_dump 17.9 client tooling, stored offline outside the Supabase project.
• Documented recovery runbook with target ≤ 1 hour to restore Partner X from yesterday's snapshot.
• Monthly rehearsal of the restore flow against a scratch database.
• Audit-log rows are append-only by RLS design (no UPDATE / DELETE policy).

Sub-processors

Third parties that may process customer data:

Audit

• External penetration test commissioned annually; findings fixed before second-paying-tenant onboarding.
• Customer-runnable audit log at /admin/audit exports tenant-scoped events for SIEM ingestion.
• SIEM egress webhook available per Partner (HMAC-SHA256 signed JSON; schema cybool.siem.v1).

Reporting a security issue

Email security@cybool.com. We respond within one business day. We do not currently run a public bug bounty; coordinated disclosure is welcomed.