Légal

Security

Last updated: May 12, 2026 , v1.0

This page describes the security measures applied to protect your data and your end users' data.

Hosting and data

  • Database: Supabase, default EU region (Frankfurt). Managed Postgres, daily backups, 7-day point-in-time recovery.
  • Frontend and serverless functions: Vercel (EU and US regions depending on routes).
  • Object storage: Supabase Storage, isolated per workspace.

Encryption

  • In transit: TLS 1.3 on all public endpoints. HSTS on production domains.
  • At rest: AES-256 for database and object storage, AES-256-GCM for workspace secrets (OAuth tokens, third-party API keys).
  • Passwords: never stored in clear, bcrypt hash via Supabase Auth.

Data isolation

  • Row Level Security (RLS) active on 76+ Postgres tables. Every query is filtered by workspace membership, without super_admin bypass in production (except for the global Freelance OS platform super-admin).
  • Session cookies: HttpOnly, Secure, SameSite. No JavaScript access to auth tokens.

Authentication

  • Email / password via Supabase Auth
  • TOTP MFA available (Google Authenticator, Authy, 1Password, etc.)
  • Time-limited sessions, refresh token rotation
  • Automatic lockout after multiple failures

Logging and detection

  • Application audit logs (sensitive actions: login, role change, data deletion, super_admin action)
  • Infrastructure logs from Vercel and Supabase
  • Alerts on suspicious events (unusual logins, repeated failures, bulk operations)

Sub-processors

Our technical sub-processors are selected for their security posture (PCI-DSS for Stripe, ISO 27001 and SOC 2 for Vercel and Supabase, etc.). See /en/subprocessors.

Testing and continuous improvement

  • Security updates applied quickly (NPM dependencies, Postgres, Node.js)
  • Manual code review for sensitive features (auth, billing, data deletion)
  • Regular audit log analysis

Business continuity

  • Daily Supabase backups with 7-day retention, restoration tested
  • Source code versioned on GitHub with dev / main branch strategy
  • Infrastructure and restoration procedures documented

Reporting a vulnerability

If you discover a vulnerability, contact us at security@freelance-os.fr (or contact@freelance-os.fr with subject "Security disclosure"). We acknowledge within 72 hours and commit not to pursue legal action against good-faith security researchers (responsible disclosure).

Please respect:

  • Don't exfiltrate more data than necessary for demonstration
  • Don't degrade the service
  • Give us reasonable time to fix before publication

Evolution

This page is updated at every material change in our security posture.

Contact

contact@freelance-os.fr, security@freelance-os.fr