Security, privacy, and compliance — without the badges we haven't earned
The information your security team, legal counsel, and compliance reviewer want before signing. Real controls, named sub-processors, honest compliance posture, working incident contact.
The EYP Ops trust hub is the public security and compliance reference for buyers reviewing tenant isolation, audit trails, sub-processors, data handling, incident response and enterprise readiness before adopting EYP Ops.
Security controls
Every item below is implemented and verifiable in the codebase. Architecture-level enforcement, not a policy document.
Every query enforces company-level scoping (companyId WHERE in every Prisma query). A startup guard (assertTenancyModelListsAreInSync) blocks API boot if any new model is missing tenant scope. Cross-company access resolves as "not found" — never as a leak.
AES-256 equivalent encryption at rest via managed volume encryption + PostgreSQL native protections. TLS 1.3 minimum on every connection. No unencrypted traffic, internal or external.
StockMove records are never updated or deleted. Corrections post reversing entries. Historical COGS cannot drift. Destructive operations require role guard + AuditLog + period-lock assertion (3-layer enforcement).
Every material change (invoice post, stock count close, payment, reversal, period unlock) records actor, timestamp, before/after state, and target entity. Nothing happens anonymously.
Four roles (SUPER_ADMIN, COMPANY_ADMIN, OPERATOR, VIEWER) plus module-level access (ORDERS / INVENTORY / FINANCE) enforced independently. UI guards mirror backend guards — no security-by-obscurity.
External API tokens are hashed at rest, scoped to read/export endpoints only, rotatable, and revocable without affecting application users. Separate rate limiting applies. JWT access tokens expire in 15 min, refresh tokens rotate on use with reuse-detection lockout.
Operational visibility
What we monitor today, and what is publicly visible when.
Sentry error tracking with PII scrubbing, Vercel deployment + uptime metrics, and custom health endpoints on the API. On-call rotation for production incidents.
Launching W3 (BetterStack-hosted). Will track API, web app, and marketing-site availability with public incident history and post-mortems for sev-1 events.
Who else processes your data
Complete list. We update this page before adding any new sub-processor that handles customer data.
| Sub-processor | Purpose | Jurisdiction |
|---|---|---|
| Resend | Transactional + marketing email delivery Recipient address, email body. Encrypted in transit (TLS) and at rest. SOC 2 Type II. | United States (Delaware) |
| Cloudflare | DNS, CDN, WAF, Turnstile (CAPTCHA) Request metadata, IP addresses. No application data persistence. SOC 2 Type II, ISO 27001. | United States (with EU edge) |
| Vercel | Marketing site hosting, Edge functions Static assets and request logs. No customer database content. SOC 2 Type II. | United States (with EU regions available) |
| Stripe | Payment processing (subscription billing) Card data and billing identifiers. PCI DSS Level 1 certified — card numbers never touch our servers. | United States |
| Sentry | Error monitoring, performance traces Error stack traces and request context. PII scrubbing rules enabled — no body payloads, no auth tokens. | United States (with EU region option) |
| Lemon Squeezy | Subscription billing (alternative provider) Card data and billing identifiers. PCI DSS compliant. Used as Merchant of Record where required. | United States (Delaware) |
Any change to this list is communicated at least 30 days in advance to customers on Growth and Enterprise tiers.
Honest compliance status
What we are aligned with today, what is on the roadmap, and what we are deliberately deferring.
Data residency in the UAE (Dubai region) by default. Breach notification process and consent management implemented. Alignment with UAE Personal Data Protection Law obligations is in progress and tracked publicly.
Standard Data Processing Agreement (DPA) template available on request. Sub-processor list (above) public. Right to erasure, data portability, and consent-based processing built in. EU tenant-ready architecture.
No public timeline announced. Annual penetration testing in place. Architecture and audit-log design built to make SOC 2 Type I straightforward when enterprise demand justifies the audit cost.
Not pursued at this stage. Will revisit with the first enterprise contract that requires it. We will not display a badge we have not earned.
How customer data is stored, encrypted, retained, and deleted
The technical detail your security team and DPO will ask about.
- Encryption at rest
- PostgreSQL native encryption + Vercel storage encryption + managed volume encryption (AES-256 equivalent).
- Encryption in transit
- TLS 1.3 minimum on every external connection. Internal service-to-service traffic also encrypted.
- Backup retention
- Daily automated backups (30-day retention) + weekly snapshots (90-day retention) + monthly archive (1 year). Point-in-time recovery within the last 7 days.
- Data deletion
- Customer deletion request: 30-day soft-delete window (recoverable) → hard-delete from primary database → backups age out after 90 days. Hard-delete certificate available on request.
- Tenant isolation
- Row-level companyId scoping in every query. Cross-tenant access architecturally prevented at the Prisma layer + startup-time integrity check.
- Sensitive field handling
- Passwords stored as bcrypt hashes. API tokens hashed at rest. Auth secrets never logged. PII scrubbing rules in error monitoring.
Contracts and data processing agreements
A standard Data Processing Agreement with EU SCCs (where relevant) is available on request. Email [email protected] with your company name and we will return a signed copy within 5 business days.
MSA, NDA, regional addenda, and security questionnaires (SIG, CAIQ, custom) are supported on Growth and Enterprise tiers. Send the document set to [email protected].
Architecture decisions for CTO and IT decision-makers
EYP Ops is built for production from day one. Architecture decisions optimized for audit, not feature velocity.
- Frontend
- Next.js 15 App Router with React 19, TypeScript strict mode.
- Backend
- NestJS 11 with Prisma 7, PostgreSQL 16.
- Hosting
- Vercel (web + marketing) with Cloudflare proxy. EU edge regions available on Enterprise.
- Observability
- Sentry for errors, custom health endpoints, Vercel uptime monitoring.
Every database row carries a companyId foreign key. All queries are scoped at the ORM layer (prisma/tenancy/company-scoped-models.ts). Cross-tenant data access is architecturally prevented — the boot sequence asserts the tenancy model list is in sync, and a missing scope fails API startup.
Stock movements are insert-only. UPDATE and DELETE on the StockMove table are blocked at the database level. Any stock balance at any historical timestamp can be reconstructed by SUM(qty WHERE effectiveAt <= timestamp AND isReversal = false). Cost (unitCost) is immutable post-write — historical reports never recompute against current prices. See methodology for the full model.
- REST API with API key authentication, scoped permissions per token.
- Webhook delivery for inventory events.
- Email-to-invoice intake via Resend.
- POS integrations: Orion, Lightspeed (planned).
- Every architectural rule comes from a documented operational failure.
- Period close requires role guard + AuditLog entry for all reopen and repost flows.
- Mark-to-market reporting bugs are prevented by the immutable cost architecture.
What happens when something goes wrong
Our commitments to detection, notification, and disclosure.
Sentry alerting on error spikes, uptime monitoring, daily security log review, and manual review of unusual access patterns. Customers can also report issues directly.
Confirmed customer-impacting breach: written notification within 72 hours of impact confirmation, with scope, mitigation status, and recommended customer actions.
90-day responsible-disclosure window for security researcher reports. We commit to acknowledge within 3 business days, provide a fix timeline within 14 days, and credit the researcher in the public changelog (with consent).
No public bug bounty programme at this stage. Researcher reports are very welcome via [email protected] — fair evaluation, no legal action for good-faith research.
Suspected vulnerability or active incident? Email [email protected]. PGP key available on request. We aim to acknowledge within 24 hours; sev-1 reports are typically reviewed within 4 hours during UAE business hours.
Security questionnaires, custom DPA, architecture deep-dives, or a synchronous review with our team — we respond to every request.