Security

Water utilities are critical infrastructure. We treat the data you hand us accordingly.

US-hosted

All production data lives in US-based AWS data centers operated by Supabase. No cross-border transfer.

Encrypted at every layer

TLS 1.2+ in transit. AES-256 at rest. Secrets managed via Vercel and Supabase Vault, never in source code.

Tenant-isolated

Every utility is isolated at the database layer via Postgres row-level security. One utility cannot see, query, or infer another utility’s data.

SOC 2 audit in progress

We engaged a SOC 2 auditor in Q2 2026. Type I report targeted within 90 days; Type II annually thereafter.

Access audited

Production data access is restricted to a small engineering team, gated by SSO and MFA, and every access is logged.

Backups and recovery

Point-in-time database backups with 30-day retention. Disaster recovery exercises run quarterly.

Questions?

We're happy to walk procurement, IT, and security teams through our setup in detail. Request our security questionnaire response, vendor onboarding pack, or architecture overview at security@getfluvio.com.