Technical Security Controls

Inbound administrative access to backend infrastructure is restricted to approved network boundaries.

Client certificate authentication is required before privileged application-layer access is granted.

Privileged access requires OTP-based MFA in addition to credential checks.

Operational access to production systems is limited to a minimal set of authorized personnel.

Core customer data stores and processing infrastructure are hosted in the UK.

Application database storage applies AES-256 encryption at rest.

Data in transit is protected with TLS 1.2+ between services and user endpoints.

Database row-level security enforces organization and investigation scoping with token-backed identity checks.

Frontend and processing environments are segmented so public app paths do not directly expose evidence-processing systems.

Multiple filtering layers are used to reduce direct-to-origin exposure risk for backend services.

Unexpected network routes are dropped to reduce reconnaissance surface and enforce known paths.

Frontend hosting includes managed SSL and baseline DDoS mitigation capabilities.

User authentication is handled through Supabase Auth with token-based sessions.

Transport security headers and HTTPS-only communication are enforced.

Token verification is performed as part of database access policy evaluation prior to returning records.

Password handling and hashing controls are delegated to managed authentication infrastructure.

Access and network-control telemetry is monitored for anomalous events.

Critical client certificate backups are retained on offline hardware for controlled recovery.

Independent control layers are designed so single-control failure does not directly expose customer data.

Security and trust documentation requests are supported via a direct security contact channel.