Last updated: 29 April 2026
All tenant data (policies, assessments, uploads, workspace content) is stored in PostgreSQL in eu-west-2 (Frankfurt). Application logs and infrastructure telemetry may be processed globally by Vercel and Supabase. Metadata associated with your account (name, email, subscription tier) is stored in Supabase and replicated for redundancy.
All data in Supabase PostgreSQL is encrypted at rest using AES-256. Database backups are also encrypted.
All connections between your browser, Rowpa application, and backend services use TLS 1.2 or higher with modern cipher suites.
Rowpa uses Supabase Row-Level Security (RLS) to enforce tenant isolation at the database layer. Each tenant sees only data within their own workspace. Tenant separation is enforced on every query; a user cannot query or modify another tenant's data even if they somehow bypass the application layer.
Rowpa uses passwordless authentication with magic links delivered via email. When you log in, we send a time-limited, single-use link to your registered email. Sessions are managed with secure, httpOnly cookies.
When you request AI-generated compliance content, Rowpa sends your prompt and relevant workspace context to Anthropic's Claude API. Requests are made over authenticated, encrypted connections.
Anthropic does not use API requests for model training. Your data is not retained to improve Claude or any other Anthropic product. See Anthropic's privacy policy and Enterprise Trust and Security documentation for full details on their data handling practices.
Supabase automatically maintains daily backups of all databases. Backups are retained for 30 days and encrypted at rest. In the event of data loss or corruption, Rowpa can restore from a backup with minimal downtime.
Rowpa monitors infrastructure health, application logs, and error rates continuously. If a security incident or data breach is suspected, we will investigate immediately and notify affected customers within the timeframe required by applicable law (typically 72 hours for GDPR).
For security concerns or to report a vulnerability, contact compliance@rowpa.app.
If you discover a security vulnerability in Rowpa, please report it responsibly to compliance@rowpa.app rather than disclosing it publicly. Include a clear description of the issue, steps to reproduce, and potential impact. We will acknowledge your report within 48 hours and work with you to resolve the issue before public disclosure.