Information Security Policy

• Encryption at rest. All customer data is stored in a managed PostgreSQL database on Supabase (AWS us-east-1) and encrypted with AES-256 by the underlying storage layer.
• Encryption in transit. All client-to-server and server-to-server traffic is encrypted with TLS 1.2 or higher. HTTP traffic is automatically upgraded to HTTPS at the Cloudflare edge.
• Secrets management. API keys and service credentials are stored as environment variables in Supabase Edge Functions and Cloudflare Pages — never committed to source control.

• Role-based access control (RBAC). Database access is governed by Supabase roles (anon, authenticated, service_role) with the principle of least privilege.
• Row-Level Security (RLS). All user-owned tables enforce RLS policies that restrict each row to its owning user. The service_role key, which bypasses RLS, is used only by server-side Edge Functions and never exposed to clients.
• Centralized identity. User authentication is managed by Supabase Auth, providing a single source of truth for identity, sessions, and password policy.
• Multi-factor authentication. MFA is enforced on all administrative accounts (Supabase, Cloudflare, GitHub, email). End users may optionally enable MFA on their WhaleWatch account.
• Strong password policies. Supabase Auth requires a minimum password complexity and rejects credentials known to be compromised.
• Session management. JSON Web Tokens (JWTs) issued by Supabase Auth expire automatically; refresh tokens are rotated on each use.
• Service-to-service authentication. All non-human authentication uses signed OAuth bearer tokens (JWTs) over TLS.

• The web application is served from Cloudflare Pages, which provides DDoS protection and a Web Application Firewall (WAF) at the network edge.
• Database access is restricted to Supabase's managed network; no direct public access to the database.
• Edge Functions run in an isolated Deno runtime managed by Supabase.

• Supabase records every database query, authentication event, and Edge Function invocation in audit logs accessible to administrators.
• Cloudflare records every HTTP request to the application with source IP, path, status, and user agent.
• An internal sync-health-check function runs on a 2-hour schedule, monitors data-source freshness, and posts grouped alerts to a private Discord channel when thresholds are breached.

• Supabase performs automated daily Postgres backups with 7-day retention.
• Source code is mirrored to a private GitHub repository with full version history.
• Infrastructure is reproducible from version-controlled migrations and Edge Function source.

• Suspected security incidents are triaged immediately on receipt at [email protected].
• Compromised credentials (API keys, service-role tokens, database passwords) are rotated within 24 hours of confirmed exposure.
• Affected users are notified by email within 72 hours of a confirmed unauthorized access to their data, in line with applicable data-breach disclosure laws.
• Audit logs are reviewed to determine the scope of any incident, and remediation steps are documented after resolution.

WhaleWatch relies on the following subprocessors. Each is selected for industry-standard security certifications maintained by the underlying provider:

• Supabase — managed Postgres, authentication, Edge Functions (data hosting on AWS).
• Cloudflare — DNS, CDN, web application firewall, Pages hosting.
• Plaid — financial-account aggregation (Investments product).
• Resend — transactional email delivery.
• Stripe — payment processing for paid subscriptions.
• Finnhub — real-time equity quote data.

• Users may disconnect any linked financial institution at any time from the in-app portfolio screen; doing so removes the associated Plaid access token and stops further data sync.
• Users may request full deletion of their account and all associated data by contacting [email protected].
• WhaleWatch does not sell, share, or license user data to third parties for advertising or any other purpose outside the scope of providing the application.

• Underlying platforms (Supabase, Cloudflare, Next.js, Deno) receive security patches automatically or are upgraded promptly upon release.
• Application dependencies are reviewed for known vulnerabilities before each deployment.
• Third-party penetration testing is planned within 12 months of public launch.