Security is the product. Here is how we protect your data, what we promise, and where we're honest about limits.
Architecture
- Multi-tenant Postgres with Row Level Security — every business-data table has
tenant_idwith mandatory RLS policies. Even a compromised application server cannot cross tenants. - Magic-link authentication only — no passwords stored. Reduces credential-theft surface to zero.
- Service-role isolation — admin-bypass keys are server-only and never reach the browser.
- Audit log — every meaningful action (vendor created, questionnaire sent, document uploaded) is recorded.
Encryption
- TLS 1.2+ for all transit (1.3 preferred).
- AES-256 at rest via Supabase + S3-compatible storage.
- Document storage uses signed URLs with short TTL.
- Email magic-links use HMAC-SHA256 signed tokens.
Data residency
- Default region: Singapore (AWS ap-southeast-1) via Supabase.
- India region: available on Pro plan (AWS ap-south-1).
- Backups: daily, encrypted, same region as primary.
Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Postgres, Auth, Storage | Singapore |
| Vercel | Application hosting | Global edge |
| Resend | Transactional email | US / EU |
| Razorpay | Payments | India |
| Cloudflare | DNS, CDN, DDoS | Global edge |
30-day advance notice before adding new sub-processors. Subscribe to updates: trust@ringsafe.in.
Operational security
- Background-checked personnel; minimum-necessary access; quarterly access reviews.
- MFA on all administrative consoles.
- Centralised SIEM ingest of all infrastructure logs.
- Dependency scanning (Snyk / Dependabot) in every CI pipeline.
- Annual third-party penetration test (CERT-In empanelled vendor) — report available under NDA.
- Continuous CSPM monitoring on production infrastructure.
Vulnerability disclosure
If you find a security vulnerability, please report it responsibly to security@ringsafe.in. We acknowledge within 24 hours and aim to remediate within 30 days. Bug bounty programme launching 2026.
Compliance posture
- DPDP Act 2023: Data Processor obligations honored. Standard DPA available.
- GDPR: Article 28 processor obligations honored. Standard SCCs for EU transfers.
- SOC 2 Type II: in progress (target Q4 2026).
- ISO 27001:2022: in progress (target Q1 2027).
Incident response
We notify affected customers of a personal data breach without undue delay and within 72 hours of becoming aware, in line with DPDP Act 2023 and GDPR requirements. Notification includes the nature of the breach, categories of data affected, likely consequences, mitigation steps, and a contact point. We additionally notify the Data Protection Board of India where required.
Service availability
Target uptime: 99.5% monthly on Starter and above (excluding scheduled maintenance announced in advance). Free plan is best-effort. Status page: ringsafe.statuspage.io (launching with Starter tier go-live).
Questions? Email trust@ringsafe.in. For security audit / questionnaire responses to share with your customers, request our SIG-Lite or CAIQ at the same address.