Security

Last reviewed 25 April 2026. This page summarises how SetupPasskeys protects customer data, the controls in place around the platform, how to report vulnerabilities, and what is on our compliance roadmap. For a vendor-assessment questionnaire or signed security pack suitable for an enterprise procurement review, email security@setuppasskeys.com.

Hosting

EU/EEA only

Vercel (Frankfurt) + Supabase (Frankfurt)

Encryption

TLS 1.2+ in transit · AES-256 at rest

HSTS preloaded · CSP-locked frames

DPA

GDPR-aligned · UK GDPR + EU SCCs

Read the standard DPA

Compliance roadmap

SOC 2 Type II in 2026

ISO 27001 evaluation Q4 2026

What we store

Org name, logo URL, accent colour, passkey policy
Admin email + Supabase Auth session
Anonymised usage events (vendor, step, outcome)
Stripe customer ID + subscription ID (no card data)

What we never store

Passkey secrets — they live on the user's device
End-user PII — names, phones, employee IDs
Card numbers or payment methods (handled by Stripe)
End-user passwords or Microsoft tokens of any kind

Subprocessors at a glance

Subprocessor	Purpose	Region
Vercel	Edge hosting, serverless functions	EU (Frankfurt)
Supabase	Postgres database, auth, row-level security	EU (Frankfurt)
Stripe	Billing + payment processing	EU / US (Stripe data residency)
Resend	Transactional email delivery	EU / US
Google Gemini	Optional AI diagnose feature (opt-in)	EU / US

1. What we protect

SetupPasskeys is a guided passkey-registration product for Microsoft Entra ID. The data we hold is intentionally minimal:

Org configuration — branding (logo URL, accent colour, org name), passkey policy settings, support routing, and optional custom-domain mapping.
Admin accounts — email address and Supabase Auth session tokens for users who sign in to the admin portal at /app.
Anonymised usage events — vendor (Apple, Google, Samsung, Microsoft), step reached in the walkthrough, and completion outcome. No personally identifiable information is attached.
Billing references — Stripe customer and subscription IDs only. Card numbers and payment-method details never reach our infrastructure; they live in Stripe.

We do not store, see, or proxy passkey credentials. Passkey secrets remain on the end user's device and in Microsoft Entra ID — SetupPasskeys is the guidance layer, not the identity provider.

2. Hosting and infrastructure

Vercel — global edge hosting and the runtime for our serverless API functions. ISO 27001 / SOC 2 Type II certified at the hosting layer.
Supabase — managed Postgres database, authentication, and row-level security. SOC 2 Type II certified.
Stripe — billing and payments. PCI DSS Level 1 service provider.
Resend — transactional email (welcome message, trial reminders, lead notifications). DPA and standard contractual clauses in place.

All sub-processors are listed in the privacy policy with their data-residency and transfer mechanisms. We will give existing customers at least 30 days notice before adding a new sub-processor that handles personal data.

3. Encryption

In transit — TLS 1.2 or higher on every connection between browsers, our edge functions, and our sub-processors. HTTP Strict Transport Security with includeSubDomains; preload is set on every response from the platform.
At rest — Supabase encrypts the Postgres data layer with AES-256; Vercel encrypts log and asset storage with AES-256; Stripe encrypts payment data per PCI DSS Level 1.
Secrets — service-role keys, Stripe secrets, and Resend API keys are stored in Vercel's encrypted environment-variable store and never committed to the codebase. Production secrets are scoped to the production environment only.

4. Access controls

Tenant isolation via RLS — every customer row in Supabase is protected by Postgres row-level-security policies keyed on the authenticated user's org membership. A signed-in admin can only read or write rows for orgs they belong to.
Service-role key — used only by trusted server-side handlers (Stripe webhook, super-admin endpoints, cron jobs). Never exposed to the browser. Each handler that uses it re-authenticates the caller before performing cross-tenant operations.
Super-admin allow-list — the /admin dashboard is gated on a comma-separated SUPER_ADMIN_EMAILS environment variable. Anyone whose Supabase session email is not in the list receives a 403, regardless of the access token they present.
Magic-link authentication — admin sign-in uses Supabase Auth magic links, not passwords. Sessions expire after 7 days of inactivity.

5. Browser-side hardening

The static landing site, the admin portal, and the super-admin dashboard each run under a tailored Content Security Policy defined in vercel.json:

script-src 'self' with the analytics-bootstrap host as the only external source. No third-party trackers, ad networks, or fingerprinters.
frame-ancestors 'none' on /app and /admin so the admin surfaces cannot be embedded by a malicious site (clickjacking).
X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin on every response.
Permissions-Policy grants publickey-credentials-create and publickey-credentials-get so the WebAuthn handoff to Microsoft works, and disables the deprecated interest-cohort tracking.

6. Application-level controls

Rate limits on public endpoints. The lead-capture form (/api/enquiry) and domain-detection telemetry are rate-limited per (IP-hash + identifier) to defeat scripted floods without blocking legitimate users.
Input validation. Every public POST endpoint validates the shape and length of inputs before they touch the database, so a malicious payload cannot bloat tables or abuse third-party APIs.
Idempotent webhooks. The Stripe webhook tracks a per-event fingerprint so retried deliveries do not double-charge or duplicate provisioning.
Branding sanitisation. Customer-supplied logos, accent colours, and support URLs are validated and escaped before being injected into the branded guide, so a tenant cannot XSS another tenant's visitors.

7. Monitoring and incident response

Vercel and Supabase provide structured logging for every API call and database query. Alerts on failure rates and latency are wired into the platform owner's on-call channel.
On confirmation of a security incident affecting customer data, we will notify impacted customers within 72 hours of detection, in line with GDPR Article 33. Communication runs through the registered admin email on the affected org.

8. Vulnerability disclosure

If you believe you have found a security vulnerability in SetupPasskeys, please email security@setuppasskeys.com with a description, reproduction steps, and any proof-of-concept material. We aim to acknowledge within one working day and to resolve confirmed issues within 30 days, sooner for high-severity reports.

Please do not test against live customer data, do not access information that does not belong to you, and do not perform denial-of-service or social-engineering attacks. We will not pursue good-faith research that follows these rules.

9. Compliance roadmap

SOC 2 Type I — targeted for late 2026 once the platform's audit log and access-review processes have been operating long enough to evidence.
GDPR / UK GDPR — already in scope. Data Processing Addendum and standard contractual clauses are available on request through the privacy policy contact address.
ISO 27001 alignment — controls inherit from Vercel and Supabase where applicable; an organisation-level certification is under evaluation for 2027.

Customers needing a fully-reviewed security pack, a vendor-assessment response, or a signed DPA before pilot can request one through security@setuppasskeys.com.

10. Contact

General security questions, vulnerability reports, and compliance requests: security@setuppasskeys.com. For data privacy questions, see the privacy policy.