Disqovr

Security

Security at Disqovr

This page is written for your security reviewer. Every control described here is implemented in the product today — and where we're not there yet, we say so.

Encryption in transit & at rest

All traffic is encrypted in transit with TLS. Data at rest is encrypted (AES-256) on managed Supabase PostgreSQL infrastructure.

Multi-factor authentication

TOTP-based MFA with QR enrolment. Once a user has a verified factor, every session is step-up challenged before reaching authenticated areas.

Tenant isolation, audited

Workspace-scoped data with row-level security — plus a dedicated cross-tenant isolation audit that runs automatically in CI.

DPA available

A GDPR Data Processing Agreement with our full sub-processor list is published openly and executed on request.

Authentication and access control

Disqovr uses Supabase Auth for user authentication, with bcrypt password hashing and email verification. Multi-factor authentication (TOTP) is available to every user: enrolment is self-serve from account settings (scan a QR code or enter the secret manually), and once a verified factor exists, the platform enforces a step-up MFA challenge on every session before any authenticated area can be reached.

Access within the platform is governed by role-based access control. Workspace members hold admin or member roles; sensitive operations — billing, data export, audit log access, workspace settings — require the admin role. Project-level membership further scopes who can see and act on each evaluation.

External vendor and stakeholder portals do not use shared magic links. Access is authenticated with single-use, expiring one-time codes sent to the invited email address: each code expires after 10 minutes, is invalidated on use, and issuing a new code invalidates outstanding ones. A successful code exchange establishes a scoped portal session limited to that project and audience.

SAML single sign-onis available for Enterprise workspaces. Workspace admins request a connection for their email domain in-app; we register the customer's identity provider (Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 IdP) and activate the connection. One email domain routes to exactly one workspace, and MFA enforcement applies independently of SSO. SCIM provisioning is not yet available.

Infrastructure and data hosting

Disqovr runs on Supabase (managed PostgreSQL, authentication, and file storage) and Vercel (application hosting). Data is encrypted in transit with TLS and at rest with AES-256 on Supabase's managed infrastructure. Database backups are managed by Supabase; our hosting region and backup configuration details are available to customers on request.

The platform includes a maintenance mode: a platform-wide switch that blocks all write operations while leaving data readable, used for safe migrations and incident containment.

Application errors are captured by Sentry for monitoring and alerting, with noisy control-flow filtered out so genuine faults surface quickly.

Multi-tenant isolation

Every record in Disqovr is scoped to a workspace (tenant). Tenant scoping is enforced in the data access layer on every query, and row-level security policies are enabled on tenant-scoped tables at the database layer.

We don't just assert this — we test it. A dedicated cross-tenant isolation audit runs in our CI pipeline: it connects to the database both as the application role and as an anonymous client, verifies that RLS is enabled on every tenant-scoped table, and checks that tenant data cannot be read across workspace boundaries. The build fails if any check fails.

Auditability and data portability

Each workspace has an append-only audit log recording who did what and when — project changes, membership changes, scoring actions, and other material events — viewable by workspace admins in Settings → Audit log.

Workspace admins can run a one-click data exportat any time (Settings → Workspace), producing a JSON export of the workspace's material data. No support ticket, no waiting — it answers the "can we get our data out?" question directly.

AI controls

AI features (evaluation insights, requirement drafting) are processed via the Anthropic API. Customer content sent to the API is not used to train models. AI access is governed by a central gate checked on every AI call: a global kill switch can disable AI platform-wide, trial workspaces are excluded by default, and the gate fails closed — if the check cannot complete, no AI call is made. When AI is off, the product degrades gracefully; evaluations work without it.

AI is included on Pro, Business and Enterprise (Starter and trials excluded). Every AI output is a draft you review and edit before anything is saved — nothing is auto-decided. See what's included in each plan →

Software security practices

Every response carries strict security headers: a Content-Security-Policy, Strict-Transport-Security (HSTS with preload), X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, and a restrictive Permissions-Policy.

Every push and pull request runs through a CI pipeline gating on type checks, unit tests, linting, the cross-tenant isolation audit, a production build, and an end-to-end flow check. Dependency vulnerability scanning runs via Dependabot: scheduled update PRs weekly, with security updates raised immediately.

All database access goes through Drizzle ORM with parameterised queries, removing SQL injection exposure. Public forms are protected against bots with Cloudflare Turnstile. Service accounts and API keys follow least privilege.

Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue in Disqovr, please email security@disqovr.com with a description of the issue and steps to reproduce it.

We commit to acknowledging your report within 48 hours, providing an initial assessment within 5 business days, and keeping you informed of our progress toward resolution. We follow coordinated disclosure principles and ask that you give us a reasonable opportunity to address the issue before public disclosure. We do not currently operate a bug bounty programme, but we recognise significant contributions in our security acknowledgements.

Where we are, honestly

We don't claim certifications we don't hold. Here's our current compliance position and what's on our roadmap.

UK GDPR

In place

We operate as a UK GDPR data processor. Our Data Processing Agreement — including the full sub-processor list — is published openly and executed on request.

Cyber Essentials

In progress

UK government-backed certification covering the five core technical controls. Certification is in progress.

Penetration test

On our roadmap

An independent third-party penetration test is planned. We will share the report summary with customers under NDA once complete.

SOC 2

On our roadmap

We maintain an internal SOC 2 readiness gap analysis and are building toward a Type I report. We do not yet claim SOC 2 alignment or certification.

Security questions?

Send us your security questionnaire, request an executed DPA, or ask anything on this page — we answer security reviews directly.