Security

1. Encryption

• Data in transit: all communication uses TLS 1.2 or higher (HTTPS).
• Data at rest: stored in PostgreSQL databases with encryption at rest (Supabase EU region).

2. Data residency

All customer data, including review content, OAuth tokens, and AI-generated drafts, is stored in the European Union (Supabase EU region). Data does not leave the EU except for AI generation requests sent to Anthropic Claude API (US, see Subprocessors in our Privacy Policy).

3. Access control

Database access is protected by Row-Level Security (RLS) policies ensuring each user can only access their own restaurant's data. Service-role keys are stored in encrypted environment variables and never exposed to client code.

4. OAuth tokens

Google Business Profile OAuth tokens are stored encrypted in our database. Tokens are never logged, never displayed in our application, and never sent to third parties.

5. Incident response

In case of a security incident affecting customer data, we will notify affected customers within 72 hours of discovery, in compliance with GDPR Article 33. Reports can be made to contact@restaurant-reputation-tools.fr.

6. Responsible disclosure

If you believe you have found a security vulnerability in our application, please email contact@restaurant-reputation-tools.fr. We will acknowledge receipt within 48 hours.