Security Overview

Last updated: May 29, 2026

Snavigo helps B2B sales teams find buying-intent signals and reach the right contacts. Because we process company and contact information on your behalf, security is foundational to how we build and operate the Service.

This document summarizes our current security posture as a growing-stage company. We commit to transparency about what we have in place today and what we're maturing. If you have specific questions or a security questionnaire to complete, contact security@snavigo.com.

1. Where your data lives

  • Primary database: PostgreSQL hosted on Supabase, running on AWS infrastructure (region: ap-southeast-2 / Sydney, Australia)
  • AWS compliance: SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA-eligible. See https://aws.amazon.com/compliance/
  • Supabase compliance: SOC 2 Type 2, HIPAA-ready. See https://supabase.com/security
  • File storage: Documents you upload (e.g., product materials, offering attachments) are stored in Supabase Storage with private (non-public) access controls

2. Encryption

  • In transit: All connections use HTTPS / TLS 1.2+ between your browser, our application, and our backend services.
  • At rest: All data stored in our database and file storage is encrypted at rest using AES-256.
  • Secrets: Third-party API keys and credentials are stored in Supabase Vault as encrypted secrets, accessible only to server-side functions. They are never exposed to the browser or to other workspaces.

3. Multi-tenant data isolation

Every record in our database is scoped to your workspace via Row-Level Security (RLS) policies enforced at the database layer. This means:

  • Users in one workspace cannot access data in another workspace, even if application-level code were bypassed.
  • File storage paths are workspace-scoped and protected by the same RLS-style policy at the storage layer.
  • Cross-workspace access requires the database service role, which is held only by our server-side Edge Functions and is never exposed to users.

4. Authentication

  • Email + password authentication via Supabase Auth.
  • Passwords are hashed with bcrypt (industry standard) and never stored in plaintext or accessible to Snavigo personnel.
  • Session tokens are short-lived JWTs signed with a secret rotated periodically.
  • We recommend all users enable two-factor authentication on their email provider, as that is the recovery channel for the Service.
  • On the roadmap: SSO / SAML for enterprise customers.

5. Subprocessors

We use the following third-party services to deliver the Service. Each processes customer data only as needed to perform its stated function.

ServicePurposeData shared
SupabaseDatabase, authentication, file storageAll customer data
Amazon Web ServicesCloud infrastructure (via Supabase)All customer data
AnthropicAI processing (Claude) for signal scoring and outreach draftingSignal content, B2B contact info (name, title, employer), product context
Apollo.ioContact enrichmentCompany domains, job titles being looked up
NewsAPINews article monitoringSearch keywords only
ScrapingBeePublic web page fetchingURLs being fetched
Brave SearchWeb search for domain resolutionCompany names being researched

Anthropic: We use Anthropic's API. Per Anthropic's commercial terms, API customer data is not used to train their models. See https://www.anthropic.com/legal/commercial-terms

Apollo: Apollo is a B2B contact data provider with its own GDPR-compliant data sourcing practices. See https://www.apollo.io/privacy-policy

A current subprocessor list is maintained at https://snavigo.com/subprocessors. We commit to providing reasonable advance notice (target: 30 days) before adding subprocessors that process customer personal data.

6. AI and automated decision-making

Snavigo uses AI (Anthropic's Claude models) for two purposes:

  1. Scoring: evaluating whether a news article or web event is a relevant buying signal for your business.
  2. Drafting: generating personalized outreach message drafts tied to specific signals and contacts.

All AI-generated content is presented as a draft for human review. Users explicitly approve outreach before any message is sent. We do not send messages automatically.

Data sent to Anthropic includes signal content (typically public news), B2B contact information (name, title, employer), and the product context you've configured. We do not send sensitive identifiers, financial data, or personal data beyond standard B2B contact information.

7. Access controls

  • Internal access: Production database and infrastructure access is restricted to authorized Snavigo personnel on a need-to-know basis. As of this writing, that is limited to the founder and any contracted engineers with documented operational need.
  • Customer access: Customers control which users are invited into their workspace. We do not have visibility into customer passwords. Workspace administrators can revoke access at any time.
  • Logging: Application errors, authentication events, and database access patterns are logged for debugging and security monitoring.

8. Backups and recovery

  • Supabase performs automated daily backups of the database.
  • Backups are retained per Supabase's policy (currently 7–30 days depending on plan tier).
  • We periodically verify our backup restore procedure.
  • File storage is replicated within AWS for durability.

9. Incident response

If we discover a security incident affecting customer data, we commit to:

  • Investigating within 24 hours of detection
  • Notifying affected customers within 72 hours of confirmation, in line with GDPR Article 33
  • Providing a post-incident report including root cause and remediation steps

Report a suspected vulnerability or security incident to security@snavigo.com. We respond to security-related inquiries within 2 business days.

We do not currently operate a formal bug bounty program, but we welcome responsible disclosure and will acknowledge researchers who report valid issues.

10. Data retention and deletion

  • Active accounts: Customer data is retained for the duration of your subscription.
  • Account termination: Data is deleted within 30 days of termination, subject to backup retention cycles (backups age out per Supabase's retention policy).
  • On-demand: Customers can request immediate data export or deletion at any time via support@snavigo.com.

11. What we don't have yet (transparency)

We believe in being upfront about our security maturity. The following are real gaps appropriate for our stage, with a path to address each as we scale:

  • SOC 2 audit: Not yet completed. Planned as we approach enterprise scale.
  • ISO 27001 certification: Not yet pursued.
  • Penetration testing: No formal third-party penetration test conducted yet.
  • Customer-managed encryption keys (BYOK): Not currently supported.
  • SSO / SAML: Not currently supported; on the roadmap for enterprise tier.
  • Customer-facing audit log export: Not currently available in-product; can be provided on request.
  • Formal bug bounty program: Not yet established.

We're happy to discuss our roadmap on any of the above with prospective customers, and to prioritize items that are blocking for a specific engagement.

12. GDPR and data protection

For customers processing personal data of individuals in the EU, UK, or other regulated jurisdictions:

  • Snavigo acts as a Data Processor on your behalf; you are the Data Controller.
  • We offer a Data Processing Agreement (DPA) including Standard Contractual Clauses (SCCs) on request.
  • Personal data we process is limited to standard B2B contact information (name, title, employer, work email, LinkedIn URL).
  • Contact dpo@snavigo.com for DPA requests or data protection inquiries.

For full details on data handling, see our Privacy Policy at https://snavigo.com/privacy.

13. Contact

We respond to security-related inquiries within 2 business days.

Snavigo is a trading name of [Your Legal Entity Name], registered in [Country]. Registered address: [Address].