Security is a first-class feature, not an afterthought.
Construction workforce data — identities, locations, hours, and pay — deserves serious protection. This page describes the controls we run today, in plain terms and without overclaiming. Our internal SOC 2 readiness assessment is complete; we are not yet certified, and we say so.
Built on a hardened platform, documented honestly.
CrewDispatchr runs on Supabase (hosted on AWS) in the Central Canada region, benefiting from the encryption and physical-security controls of that infrastructure — which itself holds SOC 2 and ISO 27001 certifications that cover the platform, not CrewDispatchr's own application. On top of it we enforce least-privilege access, row-level tenant isolation, and tamper-evident audit trails. The program is owned by a named Information Security Officer. Where a control is planned rather than in place, we mark it as planned — we don't claim certifications or processes we don't have.
Where we stand today — no inflated claims.
We publish the honest state. Contact the security office for the artifacts we do have.
SOC 2
We have completed an internal readiness assessment against the Trust Services Criteria (Security, Availability, Confidentiality). We are not audited by a licensed CPA firm and have no SOC 2 report to share yet. We'll update this page if and when a formal audit is engaged.
GDPR, CCPA & PIPEDA
We act as a data processor for customer data. A Data Processing Agreement (with Standard Contractual Clauses where applicable) and our current subprocessor list are available on request.
How our current controls map to SOC 2.
This is a self-assessment of controls in place today, not an audited attestation.
| Criterion | What it covers | Controls in place today |
|---|---|---|
| Security | Protection against unauthorized access. | Password authentication with a strong-password policy and secure reset; least-privilege role-based access; row-level tenant isolation; encryption in transit and at rest. |
| Availability | System uptime and resilience. | Managed, redundant hosting (Supabase on AWS); daily encrypted backups. Restore testing and a formal DR runbook are planned. |
| Confidentiality | Protection of confidential data. | Row-level tenant isolation, encryption in transit and at rest, and controlled deletion and redaction on request. |
| Processing Integrity | Complete, accurate processing. | Server-side input validation and immutable, tamper-evident audit trails on customer actions. |
| Privacy | Handling of personal information. | Data-subject access, export, and deletion/redaction requests; website consent management; DPA available. |
What's actually running today.
Every item below is implemented now. Planned work is labelled as planned.
Encryption
- TLS 1.2+ in transit, AES-256 at rest
- Encryption keys managed by Supabase
Access control
- Password authentication with strong-password policy & secure reset
- Least-privilege roles (ops admin / viewer / worker) enforced in the application
- Row-level security enforcing per-tenant access at the database
SSO/SAML and MFA are on the roadmap for enterprise plans, not yet available.
Data residency & hosting
- Hosted in Canada — Supabase Central Canada region
- Runs on AWS data centres holding SOC 2 & ISO 27001 attestations
Backups & resilience
- Daily encrypted backups (Supabase-managed)
- Managed, redundant infrastructure
Restore testing is planned.
Auditability & integrity
- Immutable, tamper-evident audit trails on customer actions
- Server-side input validation
Privacy & data rights
- Data-subject access & export (SAR)
- PIPEDA-aligned deletion & redaction on request
- Website consent management
Subprocessor security
- We rely on subprocessors that hold their own SOC 2 / ISO 27001 attestations
- Current subprocessor list available (see below)
Incident response
- We commit to notifying affected customers of confirmed incidents without undue delay
A formal, rehearsed incident-response runbook is planned.
Specifics, in plain terms.
- Encryption in transit
- TLS 1.2 or higher for all connections.
- Encryption at rest
- AES-256, inherited from the Supabase/AWS platform.
- Key management
- Managed by Supabase; application secrets are not stored in source.
- Tenant isolation
- Row-level security (RLS) with per-request authorization checks.
- Backups
- Daily encrypted backups (Supabase-managed). Restore testing is planned.
- Data residency
- Canada — Supabase Central Canada region.
- Retention & deletion
- Retained per contract; deleted or redacted on request or at termination.
- Data-subject rights
- Access, export, and deletion/redaction handled within statutory timelines.
Who processes data on our behalf.
We update this list as subprocessors change and can notify customers of material changes on request.
| Subprocessor | Purpose | Region | Attestations |
|---|---|---|---|
| Supabase | Application database, authentication, file storage, and backups | Canada (Central) | SOC 2 Type II; runs on AWS (SOC 2, ISO 27001) |
Building the full list — additional subprocessors (transactional email, frontend hosting) will be added here as confirmed.
Found a vulnerability? Tell us.
We welcome reports from security researchers. Email zied.youssfi@nextnumberglobal.com with steps to reproduce. We aim to acknowledge reports within two business days and will not pursue legal action for good-faith research that respects user privacy, avoids service disruption, and gives us reasonable time to remediate. Machine-readable details are published at /.well-known/security.txt.
What you can request.
Available to customers and evaluating prospects, under a mutual NDA where appropriate.
What documents can I request?
Do you complete security questionnaires?
How do I report a security concern?
Contact the security office
Zied Youssfi · Information Security Officer, Next Number Global Consulting