Skip to main content
Security

Security & Data Protection

Transparent, practical security for industrial software. No buzzwords — just what we do and why it matters.

What We Store (and What We Don't)

Let's be upfront: BORG builds applications. We don't run servers, manage firewalls, or operate data centers. Your app data lives in Supabase, an enterprise-grade platform running on AWS in the EU. Supabase handles the heavy infrastructure security. We handle making sure the application layer is locked down tight.

That's an important distinction. We're not going to pretend we're running a SOC. What we are going to do is make sure every line of code we write treats your data with the respect it deserves.

User accounts: names, emails & hashed passwords
Roles & permissions for access control
Audit logs & photo evidence (safety apps)

That's it. We don't vacuum up your business data. We store what the app needs to work, and we secure it properly.

AI & Your Data

We use AI to build your software — it makes us faster and the end result better. But by default, your data stays out of it. No client data is sent to OpenAI, Anthropic, Google, or any other AI provider unless you explicitly ask for it. That's not a marketing line. It's in the contract.

What If You Want AI Working With Your Data?

Local AI ModelMax Privacy

We run the AI model locally — on dedicated hardware, fully within your control. Your data never leaves the environment. Most private, higher project costs.

External AI ProviderCost-Effective

We connect to an external service like Anthropic's Claude API. Faster and cheaper, but your data is processed by a third-party. You sign off explicitly — documented in the DPA.

No AI on Your DataDefault

AI powers our development process only. Your data stays in Supabase, untouched by any AI service. This is the standard for every project unless you tell us otherwise.

The choice is yours. We'll explain the trade-offs, give you a clear recommendation, and document whatever you decide in the contract.

How Your App Data Is Protected

Platform Level · Supabase

The infrastructure under your app is managed by Supabase, a SOC 2 Type II certified platform. We chose Supabase because it gives your app enterprise-grade infrastructure security from day one, without the enterprise price tag.

AES-256 Encryption at Rest

Your database is encrypted, always.

TLS 1.2+ in Transit

Every connection is secured end-to-end.

Automated Daily Backups

Point-in-time recovery available on all plans.

EU-Hosted · Frankfurt, AWS

Your data stays in Europe. GDPR-ready by default.

Authentication

Supabase Auth handles bcrypt hashing, sessions, MFA, and rate limiting out of the box.

Patching, DDoS & Uptime

All managed by Supabase's security team — not on our plate, not on yours.

Application Level · BORG

This is where our work comes in. On top of what Supabase provides, every BORG application follows these standards:

Row Level Security (RLS)

the big one

Database-level policies that make it physically impossible for one client's users to see another client's data. Tested before every deployment.

API Key Discipline

The public key (respects RLS) goes in the frontend. The secret key (bypasses everything) stays server-side, in environment variables, never in code.

Input Validation

Server-side validation, parameterized queries, output escaping. The basics done properly.

Secure Deployments

Every production release passes a 10-point security checklist before going live.

Dependency Scanning

We monitor for vulnerable packages and patch critical issues within 48 hours of disclosure.

Safety-Critical Apps (LoTO, Maintenance)

When the app involves workplace safety, we add an extra layer:

Individual accounts only — no shared logins, ever
Every action logged: who did what, when, from which device
Audit logs are immutable — nobody can edit or delete them
Photo evidence is permanent once submitted
Separate permission levels for operators, supervisors, and admins

GDPR Compliance

Your app data includes personal data (names, emails, logins), so GDPR applies. Here's how we handle it:

Data Processing Agreement

A DPA is included with every contract.

Supabase as Sub-Processor

Documented, EU-hosted, with their own DPA.

AI Providers Documented

If you opt for external AI on your data, the provider is listed as a sub-processor with your explicit approval.

Data Subject Rights

If someone wants their data accessed, corrected, or deleted — we support that.

Breach Notification

You hear from us within 24 hours. Belgian DPA within 72 hours if required.

Data Return & Deletion

When the contract ends, your data comes back to you and we delete our copy.

Incident Response

01

Contain

Immediate containment and assessment of the incident.

02

Notify Client

Client notification within 24 hours of discovery.

03

Report to DPA

Belgian Data Protection Authority notified within 72 hours when required.

04

Root Cause & Fix

Full root cause analysis, fix deployed, and written report delivered.

Full Documentation

Our complete Security & Data Protection Plan covers the technical details: coding standards, deployment checklists, GDPR framework, and AI governance options.

Every client gets this with their contract. Updated quarterly.

Download the Security & Data Protection Plan (PDF)

Questions?

Security questions deserve straight answers. Reach out directly — no forms, no sales funnels.

contact@ai-borg.be