โ Back to home
Security
Data Security & Privacy
Version: 1.0 ย ยทย Last Updated: April 2026
1. Infrastructure & Data Storage
Cloud Hosting
ECHO Impact uses two primary hosting providers:
- Supabase (Oceania โ Sydney, ap-southeast-2) โ database, authentication, file storage, and serverless edge functions. Supabase is SOC 2 Type II certified.
- Railway (Southeast Asia โ Singapore) โ application hosting for the web frontend and application server.
Key infrastructure details:
- Database: PostgreSQL managed by Supabase, hosted in the Sydney region (ap-southeast-2)
- File Storage: Supabase Storage for document uploads and attachments
- Edge Functions: Supabase serverless compute for background processing (email delivery, AI-assisted features)
- Application Server: Railway-hosted web application
Data Residency
All primary data โ database records, uploaded documents, and file attachments โ is stored in Supabase's Sydney region (ap-southeast-2), ensuring data remains within Australian jurisdiction.
The web application is served from Railway's Singapore region. Railway serves the application code only; no customer data is stored on Railway. All data read/write operations are performed directly against the Supabase Sydney database.
Supabase holds the following certifications:
- SOC 2 Type II
- HIPAA compliance (available on enterprise plans)
- Data encrypted at rest and in transit
Encryption
| Layer | Method |
|---|---|
| In Transit | All data transmitted via TLS 1.2+ (HTTPS). No unencrypted connections are accepted. |
| At Rest | Database storage encrypted using AES-256 via Supabase managed encryption. File storage uses server-side encryption. |
| Backups | Database backups are encrypted at rest using the same AES-256 encryption. |
2. Access & Authentication Controls
User Authentication
- Email & password authentication managed by Supabase Auth with secure JWT (JSON Web Token) session handling
- Passwords are hashed using bcrypt (never stored in plaintext)
- Sessions include automatic token refresh and expiry
- Password reset via secure, time-limited email links
- Invitation-based onboarding โ new users can only access an organisation after being explicitly invited by an organisation administrator
Role-Based Access Control (RBAC)
ECHO implements a strict three-tier role model within each organisation:
| Role | Permissions |
|---|---|
| Viewer | Read-only access to organisation data |
| Editor | Read and write access to projects, forms, and data |
| Admin | Full access including user management, settings, and configuration |
Row-Level Security (Multi-Tenancy)
Every database table is protected by PostgreSQL Row-Level Security (RLS) policies. This means:
- Data queries are filtered at the database level โ users can only retrieve rows belonging to organisations they are members of
- Even if application code were compromised, the database itself enforces data isolation
- There is no shared data between organisations โ each organisation's data is completely siloed
- RLS policies are enforced on all 48+ data tables covering projects, forms, applications, assessments, contacts, documents, and more
API Security
- All API endpoints require valid authentication tokens (JWT)
- Public-facing endpoints (e.g., application submission forms, shared portfolio views) use anonymous tokens with strictly limited read-only access
- Admin-only operations (e.g., data imports) include additional server-side role verification
3. Data Breach Response
Monitoring & Detection
- Supabase provides real-time monitoring of database access patterns and API usage
- Failed authentication attempts are logged
- Unusual access patterns trigger alerts via Supabase's built-in monitoring
Incident Response Plan
In the event of a suspected data breach, ECHO follows this response protocol:
1. Identification & Containment (within 4 hours)
- Isolate affected systems
- Revoke compromised credentials or tokens
- Preserve logs for forensic analysis
2. Assessment (within 24 hours)
- Determine scope: what data was accessed, which organisations are affected
- Identify the attack vector and confirm containment
3. Notification (within 72 hours, per the Australian Privacy Act / Notifiable Data Breaches scheme)
- Notify affected organisations and their administrators
- Notify the Office of the Australian Information Commissioner (OAIC) if the breach meets the threshold for a Notifiable Data Breach
- Provide clear guidance on what data was affected and recommended actions
4. Remediation & Review
- Implement fixes to prevent recurrence
- Conduct post-incident review
- Update security measures and documentation as needed
4. Backup & Data Recovery
- Automated daily backups of the full database, managed by Supabase
- Point-in-time recovery available (depending on plan tier), allowing restoration to any point within the retention window
- Backups are stored separately by Supabase for redundancy
- Backup restoration is tested periodically
5. Application Security Practices
Secure Development
- Application code is maintained in a private Git repository with access limited to the development team
- Dependencies are regularly reviewed and updated for known vulnerabilities
- Sensitive credentials (API keys, database connection strings) are stored as environment variables, never in source code
Audit Logging
- Data import operations are fully logged with timestamps, user attribution, row counts, and rollback capability
- Email communications (invitations, notifications) are logged with delivery status tracking
- Form submissions and assessment completions include timestamps and user attribution
Data Minimisation
- ECHO only collects data explicitly provided by users or configured by organisation administrators
- Google Analytics is used for anonymous usage analytics (page views, feature adoption) to improve the product. No personally identifiable data or customer content is sent to Google Analytics
- AI-assisted features (e.g., application summarisation) process data on-demand and do not retain or train on user data
6. Third-Party Services
| Service | Purpose | Data Shared | Security |
|---|---|---|---|
| Supabase | Database, auth, storage, edge functions | All application data | SOC 2 Type II certified; Sydney region |
| Railway | Application hosting | Application code only (no customer data stored) | SOC 2 Type II certified; TLS encryption |
| Anthropic (Claude API) | AI-assisted features (optional) | Form responses, application text (when feature is used) | Zero data retention on API tier; no training on customer data |
| Resend | Transactional email delivery | Recipient email addresses, email content | SOC 2 Type II, TLS encryption |
| Google Analytics | Anonymous usage analytics | Page views, feature usage (no PII) | Standard data processing terms |
| Google Maps / Mapbox | Location services | City/country names for geocoding | Standard API terms |
7. Data Ownership & Portability
- Your data remains yours. ECHO does not claim ownership of any data entered by organisations or their applicants.
- Organisation administrators can export data at any time via built-in export features (CSV, Excel, Word documents).
- Upon contract termination, all organisation data can be exported and/or deleted upon request.
8. Compliance Alignment
ECHO's security practices align with:
- Australian Privacy Act 1988 and the Australian Privacy Principles (APPs)
- Notifiable Data Breaches (NDB) scheme โ mandatory breach notification
- SOC 2 Type II certified infrastructure providers (Supabase, Railway)
- General Data Protection Regulation (GDPR) principles โ data minimisation, purpose limitation, and user rights (relevant for international collaborators)
For organisations operating under Human Research Ethics requirements, ECHO supports:
- Strict access controls ensuring only authorised personnel can view sensitive data
- Complete data isolation between organisations (no cross-tenant data access)
- Audit trails for data modifications and access
- Data export capabilities for ethics review and compliance reporting
- The ability to restrict which team members can access specific data through role-based permissions
9. Contact
For data security queries, requests for additional documentation, or to discuss specific compliance requirements:
Nate Sturcke
Founder, ECHO Impact
Email: hello@echoimpact.io
This document is intended for prospective and current customers evaluating ECHO Impact's data security posture. For specific compliance requirements or detailed technical questions, please contact us directly.