Security and data residency

Data residency

Primary data is stored in Supabase's ap-southeast-1 region (Singapore). Transactional email is processed by Resend (US). DNS and CDN are managed by Cloudflare (global edge, no data storage). No customer data is stored in jurisdictions outside ASEAN unless explicitly agreed in writing.

Encryption

All data is encrypted at rest using AES-256 (managed by Supabase). All data in transit is encrypted using TLS 1.2 or higher. Database connections use SSL with certificate verification enforced.

Secrets, API keys, and credentials are stored as environment variables and are not embedded in source code or build artifacts.

Access controls

Production database access requires row-level security (RLS) policies. Service-role keys are restricted to server-side API routes only. Client-side code uses anon keys scoped to public data only.

Administrative access to infrastructure is limited to named individuals and requires multi-factor authentication.

Audit logging

All write operations to customer data are logged with timestamp, operator identity, and before/after state. Audit logs are append-only and cannot be modified by application code. Log retention follows customer contract terms, with a minimum of 3 years consistent with BIR e-invoicing requirements.

Vendor list

Breach notification timeline

We will notify affected customers within 72 hours of confirmed compromise, per NPC Circular 16-03. Notification will include the nature of the incident, categories of data affected, and remediation steps taken. We will also notify the National Privacy Commission within the same 72-hour window as required by law.

Contact

Security questions and responsible disclosure: security@orkids.ph. We respond within 2 business days.