Trust & Privacy

Security is a first-class feature, not an afterthought.

Construction workforce data — identities, locations, hours, and pay — deserves serious protection. This page describes the controls we run today, in plain terms and without overclaiming. Our internal SOC 2 readiness assessment is complete; we are not yet certified, and we say so.

SOC 2 readinessInternal assessment complete — not yet certified
Data residencyHosted in Canada (Supabase Central)
GDPR · CCPA · PIPEDADPA available on request
EncryptionTLS 1.2+ in transit, AES-256 at rest
Overview

Built on a hardened platform, documented honestly.

CrewDispatchr runs on Supabase (hosted on AWS) in the Central Canada region, benefiting from the encryption and physical-security controls of that infrastructure — which itself holds SOC 2 and ISO 27001 certifications that cover the platform, not CrewDispatchr's own application. On top of it we enforce least-privilege access, row-level tenant isolation, and tamper-evident audit trails. The program is owned by a named Information Security Officer. Where a control is planned rather than in place, we mark it as planned — we don't claim certifications or processes we don't have.

Compliance status

Where we stand today — no inflated claims.

We publish the honest state. Contact the security office for the artifacts we do have.

Readiness — not yet certified

SOC 2

We have completed an internal readiness assessment against the Trust Services Criteria (Security, Availability, Confidentiality). We are not audited by a licensed CPA firm and have no SOC 2 report to share yet. We'll update this page if and when a formal audit is engaged.

Available on request

GDPR, CCPA & PIPEDA

We act as a data processor for customer data. A Data Processing Agreement (with Standard Contractual Clauses where applicable) and our current subprocessor list are available on request.

Trust Services Criteria

How our current controls map to SOC 2.

This is a self-assessment of controls in place today, not an audited attestation.

CriterionWhat it coversControls in place today
SecurityProtection against unauthorized access.Password authentication with a strong-password policy and secure reset; least-privilege role-based access; row-level tenant isolation; encryption in transit and at rest.
AvailabilitySystem uptime and resilience.Managed, redundant hosting (Supabase on AWS); daily encrypted backups. Restore testing and a formal DR runbook are planned.
ConfidentialityProtection of confidential data.Row-level tenant isolation, encryption in transit and at rest, and controlled deletion and redaction on request.
Processing IntegrityComplete, accurate processing.Server-side input validation and immutable, tamper-evident audit trails on customer actions.
PrivacyHandling of personal information.Data-subject access, export, and deletion/redaction requests; website consent management; DPA available.
Security controls

What's actually running today.

Every item below is implemented now. Planned work is labelled as planned.

Encryption

  • TLS 1.2+ in transit, AES-256 at rest
  • Encryption keys managed by Supabase

Access control

  • Password authentication with strong-password policy & secure reset
  • Least-privilege roles (ops admin / viewer / worker) enforced in the application
  • Row-level security enforcing per-tenant access at the database

SSO/SAML and MFA are on the roadmap for enterprise plans, not yet available.

Data residency & hosting

  • Hosted in Canada — Supabase Central Canada region
  • Runs on AWS data centres holding SOC 2 & ISO 27001 attestations

Backups & resilience

  • Daily encrypted backups (Supabase-managed)
  • Managed, redundant infrastructure

Restore testing is planned.

Auditability & integrity

  • Immutable, tamper-evident audit trails on customer actions
  • Server-side input validation

Privacy & data rights

  • Data-subject access & export (SAR)
  • PIPEDA-aligned deletion & redaction on request
  • Website consent management

Subprocessor security

  • We rely on subprocessors that hold their own SOC 2 / ISO 27001 attestations
  • Current subprocessor list available (see below)

Incident response

  • We commit to notifying affected customers of confirmed incidents without undue delay

A formal, rehearsed incident-response runbook is planned.

Data handling

Specifics, in plain terms.

Encryption in transit
TLS 1.2 or higher for all connections.
Encryption at rest
AES-256, inherited from the Supabase/AWS platform.
Key management
Managed by Supabase; application secrets are not stored in source.
Tenant isolation
Row-level security (RLS) with per-request authorization checks.
Backups
Daily encrypted backups (Supabase-managed). Restore testing is planned.
Data residency
Canada — Supabase Central Canada region.
Retention & deletion
Retained per contract; deleted or redacted on request or at termination.
Data-subject rights
Access, export, and deletion/redaction handled within statutory timelines.
Subprocessors

Who processes data on our behalf.

We update this list as subprocessors change and can notify customers of material changes on request.

SubprocessorPurposeRegionAttestations
SupabaseApplication database, authentication, file storage, and backupsCanada (Central)SOC 2 Type II; runs on AWS (SOC 2, ISO 27001)

Building the full list — additional subprocessors (transactional email, frontend hosting) will be added here as confirmed.

Responsible disclosure

Found a vulnerability? Tell us.

We welcome reports from security researchers. Email zied.youssfi@nextnumberglobal.com with steps to reproduce. We aim to acknowledge reports within two business days and will not pursue legal action for good-faith research that respects user privacy, avoids service disruption, and gives us reasonable time to remediate. Machine-readable details are published at /.well-known/security.txt.

Documentation

What you can request.

Available to customers and evaluating prospects, under a mutual NDA where appropriate.

What documents can I request?
Our Data Processing Agreement, our current subprocessor list, and this security overview. We do not yet have a SOC 2 report or ISO 27001 certificate — we'll say so plainly rather than point you to something that doesn't exist.
Do you complete security questionnaires?
Yes. We complete standard questionnaires (e.g. CAIQ, SIG Lite) and your custom questionnaire as part of procurement, answering honestly about what is in place versus planned.
How do I report a security concern?
Email our security office directly (below). For vulnerabilities, use the responsible-disclosure channel above.

Contact the security office

Zied Youssfi · Information Security Officer, Next Number Global Consulting

zied.youssfi@nextnumberglobal.com

Email the security office