ioInsureOS
Sign inStart free
InsureOS

Security

InsureOS handles policyholder PII, payment data, and inbound calls. Here is exactly how we protect it.

Tenant isolation

Every domain table (leads, interactions, policies, commissions, audit logs, billing) carries a tenant_id column. Postgres row-level security policies on every table reject any query whose auth.uid() does not belong to that tenant via the user_roles table. Cross-tenant reads are impossible at the database layer — not just in application code.

Encryption

  • All traffic is TLS 1.2+ in transit.
  • Database at rest is encrypted by the underlying platform.
  • Per-tenant integration credentials (Twilio, SendGrid, Meta, OAuth tokens) are encrypted with a server-side INTEGRATION_ENC_KEY before being written; only a masked last_four is returned to the UI.

Authentication

Sign-in supports email/password and Google OAuth via the Lovable broker. Sessions are stored in localStorage with httpOnly refresh handled by Supabase Auth. The _authenticated layout gates every protected route client-side, and every protected server function re-validates the bearer token via requireSupabaseAuth — so an expired token cannot read data even if the UI mounted.

Authorization

Roles live in a dedicated user_roles table — never on the profile row — and are checked via a security-definer has_role() function inside policies. Server functions that perform privileged work (role grants, retention sweep, admin reads) explicitly verify tenant_admin or super_admin before loading the service-role client.

Audit logging

Every insert / update / delete on a domain table writes to audit_logs with the actor, before-state, after-state, and lead correlation id. Logs are retained for 7 years and visible to managers under Audit log.

Secrets handling

The Stripe secret key, SendGrid global secret, and Supabase service role key are stored as server-only environment variables. Browser bundles cannot reference them; static analysis blocks VITE_-prefixed leaks. Provider credentials are written from the UI through a server function that encrypts before insert.

Compliance posture

  • UK GDPR & GDPR — RTBF, data export (Article 15), consent ledger, retention sweep.
  • PECR / TCPA — opt-in enforced before SMS and email send; STOP / unsubscribe handled inbound.
  • FCA conduct — every advised interaction is logged with timestamp, channel, and actor.

Incident response

Security-relevant events land in error_events with severity and surface, visible to super-admins. Reportable incidents are triaged within 24 hours and notified to affected tenant admins within 72 hours, in line with UK GDPR Article 33.

Reporting a vulnerability

Please email security disclosures to your operator contact. We will acknowledge within two business days.