Security at Disqovr

Disqovr uses Supabase Auth for user authentication, which supports industry-standard security practices including bcrypt password hashing, brute-force protection, and email verification.

All access within the platform is governed by role-based access control (RBAC). Workspace members can be assigned Admin or Member roles, with Admins able to manage projects, invite team members, and configure workspace settings. Sensitive platform operations (billing, workspace deletion) require Admin role.

Vendor portal access is token-authenticated — vendors receive a unique, time-limited URL to complete their RFI. These tokens are single-use and expire after submission or after 30 days, whichever comes first.

Enterprise plans support SAML 2.0 Single Sign-On, compatible with Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, and any SAML 2.0-compliant identity provider. SCIM provisioning for automated user lifecycle management is also available on Enterprise plans.

Disqovr's infrastructure runs on Supabase (PostgreSQL database) and Vercel (application hosting), with all customer data stored in UK-based data centres. Our database is hosted on a dedicated Supabase instance with network-level access controls and row-level security policies enforced at the database layer.

We do not share infrastructure with other customers — your data is logically isolated using tenant-scoped row-level security (RLS) enforced on every database query.

Database backups run automatically every 24 hours with a 30-day retention period. Point-in-time recovery is available. Our Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 24 hours.

Every piece of data in Disqovr is associated with a workspace (tenant). Our database schema enforces strict tenant isolation through row-level security policies — queries from one workspace can never return data belonging to another workspace, even if the query is incorrectly formed.

Anonymised community vendor scores (aggregate benchmarks visible across the platform) are computed using differential privacy techniques that prevent reverse-engineering of individual customer scores. Your evaluation decisions are never attributable to your organisation in community data.

Our development process includes automated dependency vulnerability scanning on every build, using Dependabot and manual review for security-relevant updates. We follow the principle of least privilege for all service accounts and API keys.

All database queries go through Drizzle ORM with parameterised queries, eliminating the risk of SQL injection. User-generated content is sanitised before rendering to prevent XSS vulnerabilities. CSRF protection is applied to all state-mutating operations.

We conduct penetration testing prior to major releases and maintain an internal security review process for new features that handle sensitive data.

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue in Disqovr, please email security@disqovr.io with a description of the issue and steps to reproduce it.

We commit to acknowledging your report within 48 hours, providing an initial assessment within 5 business days, and keeping you informed of our progress toward resolution. We follow coordinated disclosure principles and ask that you give us a reasonable opportunity to address the issue before public disclosure.

We do not currently operate a bug bounty programme, but we recognise significant contributions in our security acknowledgements.