Your supply chain data is sensitive. Here's how SCIS protects it — with complete tenant isolation, encryption at every layer, and strict access controls.
Every organization's data is completely separated. No user can ever access another organization's records.
Every record is scoped by organizationId. All queries are filtered at the database level — there is no code path that allows cross-tenant data access.
Every API request verifies the user's identity and organization membership before returning any data. Unauthenticated requests are rejected immediately.
Identity management is handled by Clerk with MFA support, breach detection, and brute-force protection. SCIS never stores passwords.
Production workloads run on isolated serverless functions with no shared state between tenants. No customer data is stored on developer machines.
All data is encrypted in transit and at rest, hosted in the EU.
| Data Type | Provider | Location | Encryption |
|---|---|---|---|
| Database | PostgreSQL (Supabase) | EU (Frankfurt) | AES-256 + TLS |
| File Storage | Cloudflare R2 / AWS S3 | EU | AES-256 + TLS |
| Authentication | Clerk | Global (encrypted) | AES-256 |
| Payments | Stripe | Stripe Infrastructure | PCI-DSS L1 |
All connections encrypted
Enforced with HSTS
Data at rest
Four roles with clearly defined permissions. Users only see and do what their role allows.
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View data | ||||
| Create & edit records | — | |||
| Delete records | — | — | ||
| Manage team members | — | — | ||
| Manage billing | — | — | — |
We only share data with trusted providers necessary to deliver the service. Your data is never sold, rented, or used for advertising.
| Provider | Purpose | Data Shared | Retention |
|---|---|---|---|
| Anthropic (Claude AI) | Document scanning, classification, screening | Document content, product descriptions | Not retained |
| Stripe | Payment processing | Email, subscription status | Per Stripe policy |
| Clerk | Authentication | Email, name, login activity | Per Clerk policy |
| Supabase | Database hosting | All structured data | Until deletion |
| Cloudflare / AWS | File storage | Uploaded documents | Until deletion |
| Vercel | Application hosting | Request logs | 30 days |
SCIS is headquartered in Austria and hosts primary data in the EU.
View all data in the platform or request a full export
Edit records directly in the platform
Delete records or request full account deletion
Export data via API (JSON) or request bulk export
Contact support to restrict processing
Secure development practices built into every layer.
Prisma ORM with parameterized queries exclusively. No raw SQL.
React's built-in JSX escaping. No dangerouslySetInnerHTML usage.
All API endpoints validate input using Zod schemas before processing.
Only PDF, PNG, JPG, WebP accepted. 10 MB max. No executable files.
Session-based auth with secure cookies. State changes require POST/PATCH/DELETE.
Generic error responses in production. No stack traces or internal details exposed.
We continuously invest in security improvements.
We're happy to discuss our security practices in detail. Request a DPA or schedule a security review.