Security by design.

• ·Encryption in transit and at rest. TLS 1.3 enforced. Data encrypted in PostgreSQL with AES-256 via Supabase.
• ·Row Level Security. Every query passes through database-level filters. Your projects are invisible to any other user.
• ·Breached password check. We check against HaveIBeenPwned's breach database (never sending your actual password).
• ·Multi-factor authentication available. TOTP support via apps like Google Authenticator, Authy or 1Password.
• ·Immutable audit log. Critical actions in your workspace are logged. Visible to admins.
• ·EU infrastructure. Data stored on Supabase servers in the European Union (London / Paris).

To operate the platform, we rely on the following providers. All have SOC 2 Type II certifications and signed DPAs:

If you've discovered a security vulnerability, we ask that you contact us privately before disclosing it publicly. We commit to:

• ·Respond within 72 hours.
• ·Keep you informed about progress.
• ·Not take legal action against good-faith researchers.
• ·Credit your contribution publicly (if you wish).

We comply with GDPR. You have rights of access, rectification, erasure, portability and objection. All of these can be exercised in Settings → Privacy within your account. To contact our DPO: suporte@onflip.pt.