Security & Trust

How we protect your data

LocalReach Rewards is built on security-first infrastructure. Every architectural decision — from database design to HTTP headers — is made with data protection in mind.

Compliance Status

ISO 27001 Roadmap

In Progress

SOC 2 Type I Roadmap

In Progress

GDPR Compliance

Implemented

CCPA Compliance

Implemented

TLS 1.2+ Enforcement

Active

HSTS Preload

Active

Access Control

Role-based access control (RBAC)

Three roles: Admin, Business, Creator. Row-Level Security enforced at the database layer.

Authentication via Supabase Auth

Email/password with bcrypt hashing. Sessions managed with signed JWTs.

Principle of least privilege

Each role can only read and write data scoped to their own account via RLS policies.

Admin portal protection

Admin routes require role=admin at both routing and database layers independently.

Data Security

Encryption in transit

All traffic served over TLS 1.2+. HSTS enforced with preload for 2 years.

Encryption at rest

Database hosted on Supabase (AWS). Data encrypted at rest using AES-256.

Row-Level Security

Every table has RLS enabled. No data leaks between tenant accounts.

Data minimization

Only IP geolocation (city/state/country) collected — no precise GPS. Location data used solely for scoring.

Audit & Monitoring

Append-only audit log

All privileged actions (approvals, rejections, payout approvals, fraud flag resolutions) written to an immutable audit_logs table.

Actor attribution

Every audit entry records user_id, action, resource, and timestamp.

No deletions from audit log

No UPDATE or DELETE RLS policies on audit_logs. The table is append-only by design.

Fraud detection logging

Automated fraud flags are logged with severity, type, and details. Resolution decisions are audited.

Application Security

Content Security Policy

CSP header restricts script, style, connect, and image sources. Prevents XSS and data injection.

Clickjacking protection

X-Frame-Options: DENY and CSP frame-ancestors: none prevent embedding in iframes.

MIME sniffing protection

X-Content-Type-Options: nosniff enforced on all responses.

Permissions Policy

Camera, microphone, and interest-cohort APIs disabled. Geolocation restricted to self.

Infrastructure

Hosted on Supabase (AWS)

ISO 27001 certified infrastructure. SOC 2 Type II compliant hosting.

Automated backups

Supabase performs daily point-in-time backups with 7-day retention.

Database migration versioning

All schema changes are tracked in numbered migration files and applied sequentially.

Dependency scanning

Dependencies monitored for known vulnerabilities via npm audit.

Privacy & Compliance

Privacy Policy

Documents data collection, usage, retention, and subject rights.

Data retention limits

Tracking events and submissions retained for campaign lifetime + 3 years. Account data deleted on request.

No data sales

Personal data is never sold or shared with third parties except service providers under DPA.

GDPR / CCPA rights

Data subjects may request access, correction, or deletion of their personal data at any time.

Vulnerability Disclosure

If you discover a security vulnerability, please report it to us privately. We follow responsible disclosure and will acknowledge receipt within 72 hours.

  • Email: security@localreachrewards.com
  • We target patch deployment within 30 days for critical issues
  • We do not pursue legal action for good-faith disclosures

We gratefully acknowledge security researchers who help keep LocalReach Rewards safe.