/docs/privacy/security
Security Controls and Incident Response
Version 2026-03-16-v23, updated 2026-03-16.
| Control | Implementation | Scope |
|---|---|---|
| Authentication and access protection | Supabase Auth, session management, optional MFA (TOTP), role-based access controls | Account security and access to product data |
| Transport and storage security | TLS-protected transport, infrastructure hardening, role-separated access | Web, API, and backend data processing |
| Monitoring, abuse detection, and rate limiting | Security logs, abuse detection, hashed IP-based rate limits, and technical blocking and protection mechanisms | Abuse prevention and availability |
| Authorization and role concepts | Need-to-know access controls and internal access restrictions | Internal administration and support |
| Recoverability and resilience | Backup and recovery processes as well as technical redundancy where implemented | Operational continuity and incident recovery |
Incident Response Facts
Detection and initial assessment
Security-relevant incidents are prioritized, assessed, and technically contained.
Containment and recovery
We apply technical and organizational measures for containment and recovery.
Notification duties
For notifiable breaches, we notify the supervisory authority and, where required, affected persons in line with Art. 33 and 34 GDPR.