Security

Your data, handled like we\u2019d want ours handled.

RFPHawk is built by a small team that cares about security details. We keep the data surface small, encrypt it everywhere, and only give access to people who need it. Here\u2019s how.

TLS 1.2+ AES-256 at rest Bcrypt passwords Row-level security

How we protect your data

Encryption everywhere

TLS 1.2+ in transit and AES-256 at rest via Supabase. Passwords hashed with bcrypt using a unique salt per user. Never plain text, never reversible.

Least-privilege access

Production database access is limited to the core team. Access is logged via Supabase and revoked immediately when team membership changes. As the team grows, we will formalize access reviews on a written cadence.

Row-level security

Supabase RLS policies enforce that users can only read and write their own rows. Even a bug in application code cannot leak data across tenants.

No third-party tracking

No Google Analytics, no Facebook Pixel, no session replay, no ad-network SDKs. We use first-party aggregate metrics only.

Breach notification within 72 hours

If any incident affects customer data, we notify affected accounts by email within 72 hours of discovery, with a full post-mortem to follow.

Tested and monitored

Automated tests and type checks run on every commit. Dependencies are monitored via GitHub Dependabot, and production errors are surfaced in real time so regressions get caught quickly.

Infrastructure you can audit

We don\u2019t roll our own database, auth, or payments. We use well-audited providers with strong security track records so our attention can stay on product and customer data hygiene.

See the full vendor list

Supabase (AWS us-east-1)

Postgres, auth, row-level security

SOC 2 Type II, HIPAA eligible

Stripe

Payments, subscriptions, invoicing

PCI DSS Level 1

Cloudflare

CDN, WAF, DDoS protection

ISO 27001, SOC 2

Resend

Transactional email delivery

SOC 2 Type II

Where we\u2019re going

We publish our security roadmap so enterprise buyers know what to expect and when. If you need something that isn\u2019t on here, email security@rfphawk.com.

TLS, at-rest encryption, RLS

In production today

Shipped

MFA on admin consoles

Supabase, Stripe, GitHub, Cloudflare

Shipped

Published vulnerability disclosure policy

Drafting ahead of GA

Planned

SOC 2 Type I readiness

Will start once we have a dedicated security owner

Planned

SOC 2 Type II audit

Based on enterprise customer demand

Planned

HIPAA + FedRAMP evaluation

Based on customer demand

Planned

Found a vulnerability?

We appreciate responsible disclosure. Email security@rfphawk.com with details and reproduction steps. We\u2019ll acknowledge within 48 hours, keep you updated on the fix, and publicly credit you (with permission) once resolved.

Please don\u2019t run automated scanners against production. If you need to validate a finding, email first and we\u2019ll set up a staging environment.

Report a vulnerability Read our Privacy Policy