How we protect your data
LocalReach Rewards is built on security-first infrastructure. Every architectural decision — from database design to HTTP headers — is made with data protection in mind.
Compliance Status
ISO 27001 Roadmap
In ProgressSOC 2 Type I Roadmap
In ProgressGDPR Compliance
ImplementedCCPA Compliance
ImplementedTLS 1.2+ Enforcement
ActiveHSTS Preload
ActiveAccess Control
Role-based access control (RBAC)
Three roles: Admin, Business, Creator. Row-Level Security enforced at the database layer.
Authentication via Supabase Auth
Email/password with bcrypt hashing. Sessions managed with signed JWTs.
Principle of least privilege
Each role can only read and write data scoped to their own account via RLS policies.
Admin portal protection
Admin routes require role=admin at both routing and database layers independently.
Data Security
Encryption in transit
All traffic served over TLS 1.2+. HSTS enforced with preload for 2 years.
Encryption at rest
Database hosted on Supabase (AWS). Data encrypted at rest using AES-256.
Row-Level Security
Every table has RLS enabled. No data leaks between tenant accounts.
Data minimization
Only IP geolocation (city/state/country) collected — no precise GPS. Location data used solely for scoring.
Audit & Monitoring
Append-only audit log
All privileged actions (approvals, rejections, payout approvals, fraud flag resolutions) written to an immutable audit_logs table.
Actor attribution
Every audit entry records user_id, action, resource, and timestamp.
No deletions from audit log
No UPDATE or DELETE RLS policies on audit_logs. The table is append-only by design.
Fraud detection logging
Automated fraud flags are logged with severity, type, and details. Resolution decisions are audited.
Application Security
Content Security Policy
CSP header restricts script, style, connect, and image sources. Prevents XSS and data injection.
Clickjacking protection
X-Frame-Options: DENY and CSP frame-ancestors: none prevent embedding in iframes.
MIME sniffing protection
X-Content-Type-Options: nosniff enforced on all responses.
Permissions Policy
Camera, microphone, and interest-cohort APIs disabled. Geolocation restricted to self.
Infrastructure
Hosted on Supabase (AWS)
ISO 27001 certified infrastructure. SOC 2 Type II compliant hosting.
Automated backups
Supabase performs daily point-in-time backups with 7-day retention.
Database migration versioning
All schema changes are tracked in numbered migration files and applied sequentially.
Dependency scanning
Dependencies monitored for known vulnerabilities via npm audit.
Privacy & Compliance
Privacy Policy
Documents data collection, usage, retention, and subject rights.
Data retention limits
Tracking events and submissions retained for campaign lifetime + 3 years. Account data deleted on request.
No data sales
Personal data is never sold or shared with third parties except service providers under DPA.
GDPR / CCPA rights
Data subjects may request access, correction, or deletion of their personal data at any time.
Vulnerability Disclosure
If you discover a security vulnerability, please report it to us privately. We follow responsible disclosure and will acknowledge receipt within 72 hours.
- Email: security@localreachrewards.com
- We target patch deployment within 30 days for critical issues
- We do not pursue legal action for good-faith disclosures
We gratefully acknowledge security researchers who help keep LocalReach Rewards safe.