Security

Last reviewed: April 2026 · Reviewed quarterly

Datumbase is built on SOC 2 Type II certified infrastructure, uses passwordless authentication, and stores all primary data in a UK-region data centre. This page summarises our security posture for customers undertaking procurement due diligence.

1. Infrastructure & hosting

Component	Provider	Certification	Region
Application & CDN	Vercel	SOC 2 Type II	Global edge / EU nodes
Database & auth & storage	Supabase	SOC 2 Type II	eu-west-2 (London, UK)
Transactional email	Resend	SOC 2 Type II	USA
AI extraction (optional)	Anthropic	Enterprise DPA	USA — data not retained

Datumbase itself is pursuing Cyber Essentials certification (planned Q3 2026). Provider SOC 2 reports are available on request for enterprise due diligence.

2. Data residency

The primary Supabase instance is provisioned in eu-west-2 (London, United Kingdom). Your project data, user records, uploaded documents, and CDM document content are stored in this region.

Vercel’s edge network serves application traffic globally for performance. No customer data is persistently stored by Vercel outside of the Supabase instance. If contractual UK-only data residency is required, please contact us to discuss your requirements.

3. Encryption

Layer	Standard	Detail
In transit	TLS 1.2 / 1.3	All connections between browser, Vercel, and Supabase are TLS-encrypted. Automatic certificate management via Vercel (Let's Encrypt).
At rest — database	AES-256	Supabase encrypts all PostgreSQL data at rest.
At rest — file storage	AES-256	All uploaded documents (PDF, images) are encrypted in Supabase Storage (S3-compatible).
API keys & secrets	Encrypted env vars	All service credentials are held as encrypted Vercel environment variables. Nothing is committed to source code.

4. Authentication & access control

Datumbase uses passwordless magic link authentication via Supabase Auth. No passwords are ever created, stored, or transmitted — eliminating an entire category of credential risk.

One-time magic links expire after 1 hour and are single-use
Session JWTs are validated on every server request via Next.js middleware
Role-based access control: Owner / Admin / Member / Viewer roles enforced at the application and database layer
Row-Level Security (RLS) in Supabase enforces organisation isolation — no cross-tenant data access is possible at the database layer
File access is via time-limited signed URLs (1-hour expiry) — no permanent public links to customer documents exist

5. Application security

HTTP security headers — Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Permissions-Policy are set on all responses
CSRF protection — Next.js App Router server actions include built-in origin checking
File upload controls — MIME type allowlist (PDF, JPEG, PNG, WebP, GIF), 20 MB size limit, filename sanitisation before storage path construction
TypeScript throughout — full type safety reduces injection and type-confusion vulnerabilities
Server-rendered architecture — React Server Components minimise client-side secret exposure
Private source code — GitHub repository is private; no public access to application code

6. Sub-processors

We use the following sub-processors to deliver the Datumbase service. Each is contractually bound to handle data securely and in accordance with UK GDPR.

Sub-processor	Role	Data transferred	Security page
Vercel Inc.	Application hosting & CDN	Application traffic — no persistent storage	vercel.com/security
Supabase Inc.	Database, file storage & authentication	All user and platform data	supabase.com/security
Resend Inc.	Transactional email delivery	Email address, notification content	resend.com/security
Anthropic PBC	AI document extraction (optional)	Document content during API call only — not retained by Anthropic	anthropic.com/security

We do not sell your data to third parties or use it for advertising.

7. Privacy & compliance

Datumbase is operated by Brockhurst Property Ltd, registered in England and Wales, acting as data controller. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Privacy Notice — full details of data collection, legal bases, retention, and your rights: app.datumbase.tech/privacy
Data residency — all primary data stored in UK (Supabase eu-west-2, London); full details at app.datumbase.tech/data-residency
Data retention — account and project data deleted within 30 days of account closure
Right to erasure — data deletion requests honoured within 30 days; contact privacy@datumbase.tech
Breach notification — we will notify affected customers and the ICO within 72 hours of becoming aware of a personal data breach, as required by UK GDPR Article 33

Data Processing Agreements (DPA) are available for enterprise customers. Contact privacy@datumbase.tech.

8. Responsible disclosure

We take security reports seriously. If you believe you have found a security vulnerability in Datumbase, please contact us privately before disclosing it publicly. We will acknowledge your report within 2 business days and aim to resolve confirmed issues within 30 days.

Report a vulnerability: security@datumbase.tech

Our full Vulnerability Disclosure Policy covers scope, rules of engagement, response timelines, and safe harbour. The security.txt file is available at /.well-known/security.txt per RFC 9116. We do not currently offer a monetary bug bounty but will credit researchers where they consent to attribution.

9. Further information

For security questionnaires, vendor assessment forms, or additional information not covered on this page, please contact:

General security enquiries: security@datumbase.tech
Privacy & data protection: privacy@datumbase.tech

This page is reviewed quarterly. Material changes will be notified to registered users by email.

← Back to sign in

Datumbase is operated by Brockhurst Property Ltd, England & Wales.