Security

Supplira is built with practical security controls, transparent architecture, and EU-focused data handling for supplier risk follow-up.

This page describes controls implemented in the product today. It is not a certification statement and does not guarantee regulatory compliance.

Architecture and data isolation

PostgreSQL Row-Level Security (RLS) — tenant isolation is enforced at the database level using account-scoped policies.
Server-side authorization — access checks are enforced in application logic before data is returned or changed.
Account-scoped data — customer data is scoped to your Supplira account within the shared application database.
Audit logging — security-sensitive and account activity is recorded for operational review.

Authentication and access security

Multi-factor authentication (TOTP) — supported for user accounts.
Password hashing — passwords are stored using bcrypt.
Secure session cookies — session cookies use HTTP-only attributes appropriate for web authentication.
Session expiration — login sessions expire according to configured session lifetime.
Rate limiting — login and MFA attempts are rate limited to reduce brute-force risk.
Platform administration — platform admin capabilities are separated from normal customer account access.

Operational transparency

Account audit history — account administrators can review account-scoped audit history for security-relevant activity.
Descriptive audit records — audit entries are recorded with enough context to support follow-up and investigation.
Supplier assessment history — assessment and supplier risk history remain visible within your account for ongoing follow-up.

Supplira is designed for teams handling supplier-related personal and operational data in a GDPR-aware workflow. Our primary application database is hosted in the EU (Sweden, AWS eu-north-1).

EU-hosted primary application database
Data Processing Agreement available on request where required
Some supporting services (for example email delivery, hosting, logging, or security tooling) may use approved subprocessors — see our Subprocessors page

Use of Supplira does not, by itself, satisfy your legal or regulatory obligations. You remain responsible for your compliance program and how you use the Service.

Infrastructure

Supplira’s primary application database is hosted in Sweden (AWS eu-north-1). Some supporting services may use approved subprocessors outside that single region or provider, as described in our terms and customer agreements where applicable.

Trust signals at a glance

PostgreSQL RLS tenant isolation MFA (TOTP) support Audit logging EU-focused primary hosting HTTP-only session cookies Login/MFA rate limiting Server-side authorization bcrypt password hashing

Ongoing improvements

We continue to improve operational security controls over time. This page is updated when material controls change.

Security contact

Questions about security or data handling: [email protected]

If you believe you have discovered a security issue, please contact us at [email protected]. Please include enough detail for us to reproduce and investigate the issue.