Skip to content
Supplio

Legal

Security Statement

Last updated: 24 May 2026

This page summarises the technical and organisational measures Supplio uses to protect customer data. It supports our Privacy Policy and forms the technical and organisational measures schedule referenced in our Data Processing Addendum. We aim to describe what is true today, not what we hope to be true; where a control is a roadmap item we say so.

1. Encryption

  • In transit: all connections to app.supplio.co.uk and supplio.co.uk are served over TLS 1.2 or higher. HTTPS is enforced at the edge and at the origin; the origin rejects non-HTTPS traffic in production.
  • At rest: customer data, file uploads and database backups are encrypted at rest using AES-256 (or equivalent) by the underlying cloud-provider storage layer.
  • Passwords: stored as bcrypt hashes — we never store or transmit clear-text passwords.
  • Secrets: API keys, signing keys and other secrets are kept out of source control and supplied to the runtime through environment configuration. A start-up guard rejects deployments that ship with weak or known-leaked JWT signing keys.

2. Authentication and session management

  • Minimum password length of 12 characters, with no daft character-class requirements (consistent with NIST SP 800-63B guidance).
  • Every new and reset password is screened against the Have I Been Pwned breached-passwords corpus using a k-anonymity model — only the first 5 characters of the SHA-1 hash leave Supplio.
  • Account lockout after 5 failed sign-in attempts, with a 15-minute cool-off.
  • Short-lived JWT access tokens (up to 24 hours) and longer-lived refresh tokens (up to 7 days), both delivered as HttpOnly, Secure cookies; refresh-token rotation detects re-use of a previously used refresh token and immediately revokes the session.
  • Cross-replica server-side token blacklist: a revoked token is rejected on every replica, not just the one that revoked it.
  • Multi-factor authentication is on the near-term roadmap; today the platform supports single-factor email/password and (on Enterprise, by arrangement) federated single sign-on through a customer identity provider.

3. Application security

  • Per-IP rate limiting on all API endpoints, with tighter limits on authentication, signup and external-form endpoints.
  • Origin and referrer checks on state-changing requests; cookies scoped tightly by domain and path.
  • Server-side input validation; SVG uploads are sanitised before storage and rendered through <img> tags so embedded scripts cannot execute.
  • File uploads enforced through a quota-aware storage layer with a per-organisation storage event ledger.
  • Per-tenant database isolation for customer data: each customer's supplier records, forms and files live in a dedicated tenant database rather than co-mingled tables.

4. Access controls

  • Role-based access controls in the application (Admin / Manager / Employee / Supplier), with permissions checked on every request.
  • Production access for Supplio personnel is restricted on the principle of least privilege; access is auditable and revoked on offboarding.
  • Cloud-console access requires MFA.

5. Logging and auditing

  • An immutable in-application audit log records every meaningful action (record changes, document uploads, configuration changes, score recalculations, sign-ins, token refreshes), including the actor, timestamp, originating IP address and user-agent.
  • Operational request and error logs are kept for a limited period and reviewed for anomalies. We avoid logging request and response bodies to minimise the personal data that lands in logs.

6. Infrastructure and network

  • The platform runs in cloud infrastructure with UK / EEA availability zones.
  • Traffic is fronted by an upstream CDN/WAF providing TLS termination, DDoS protection and rate limiting at the edge; forwarded headers are accepted only from trusted upstream IP ranges to prevent IP-spoofing in audit logs.
  • Slow-loris and similar low-bandwidth attacks are mitigated by configured request-header and keep-alive timeouts.

7. Backups and disaster recovery

  • Automated database backups are taken daily and retained for up to 35 days.
  • Database deployments use the cloud provider's managed high-availability features where applicable.
  • Recovery-time and recovery-point objectives appropriate to the Enterprise plan are documented in the relevant order form.

8. Sub-processors and supply-chain security

See /legal/sub-processors for the current sub-processor list, the data each one handles and the transfer safeguards in place. We monitor dependency vulnerabilities and review significant infrastructure changes.

9. Personal-data breach response

  • We monitor for security events and have an internal incident-response procedure for containment, eradication, recovery and lessons-learned.
  • If we become aware of a personal-data breach affecting Customer Personal Data, we notify affected customers without undue delay and in any event within 72 hours, in line with section 9 of the DPA.
  • We will provide reasonable cooperation, including any information needed for the customer to meet its own notification obligations to data subjects and supervisory authorities.

10. Secure software development

  • Source control with branch protections; significant changes are reviewed.
  • Automated tests run on every change; production deployment is gated on successful checks.
  • Dependencies are kept up to date and monitored for known vulnerabilities.
  • Production source maps are currently published with the bundles to support debugging; this is a known trade-off and will be revisited once a server-side error tracker is in place.

11. Compliance posture

  • UK GDPR & Data Protection Act 2018: see the Privacy Policy and DPA.
  • PCI-DSS: we do not store or transmit cardholder data — payments are handled by Stripe, a PCI-DSS Level 1 service provider.
  • SOC 2 / ISO 27001: Supplio does not currently hold these certifications. We rely on the certifications of our underlying infrastructure providers and on the controls described here. Achieving an independent attestation is on our roadmap as we grow.

12. Vulnerability disclosure

Security researchers are welcome to report suspected vulnerabilities to security@supplio.co.uk. Please include enough information to reproduce the issue. We aim to acknowledge reports within two UK business days. We do not currently operate a paid bug-bounty programme; we will not pursue good-faith researchers who:

  • do not access, modify or delete data beyond what is needed to demonstrate the issue;
  • do not degrade the Service or affect other customers;
  • do not exfiltrate data or use it for any purpose;
  • give us a reasonable window to fix the issue before public disclosure.

13. Customer responsibilities

Strong security is a shared responsibility. Customers should:

  • protect their administrator credentials and rotate them if a user leaves;
  • enable any multi-factor authentication option offered;
  • follow good account-hygiene practices (no shared logins);
  • review the audit log periodically; and
  • configure supplier-scoring weights and automation rules consistent with their own risk appetite.

14. Contact

Security questions, vulnerability reports or requests for a security questionnaire? Email security@supplio.co.uk.