Security

A summary of how Complaix protects your data and how to disclose issues to us responsibly.

Platform hardening

• Strict HTTPS-only, HSTS preload, Content Security Policy.
• Multi-tenant isolation via PostgreSQL Row-Level Security.
• Signed Stripe webhooks with replay-safe dedup.
• File uploads validated by magic-byte inspection.
• Append-only evidence vault (GDPR Art. 17 / EU AI Act Art. 18 retention reconciled via PII anonymisation while keeping audit-trail integrity).

Authentication

• Argon2id password hashing (Supabase Auth).
• Optional TOTP two-factor authentication.
• Rate-limited sign-in and password-reset flows.
• Session invalidation on password change.

Data protection

• Encryption at rest (Supabase AES-256) and in transit (TLS 1.3).
• EU West primary residency; no transatlantic storage by default.
• PITR daily + weekly cold backups.

Responsible disclosure

If you believe you have found a security issue in Complaix, please email security@complaix.eu with the details. We ask that you:

• give us reasonable time to remediate before public disclosure;
• avoid exploiting the issue beyond what is needed to confirm it;
• do not access or retain data that is not yours.

We acknowledge reports within 3 business days and aim to remediate high-severity issues within 14 days.

security.txt

Machine-readable disclosure details live at /.well-known/security.txt.