← Back to 3R Performance Tracking
Trust Center
3R Inspection Services treats security, privacy, and audit-readiness as the foundation of every client relationship. This page summarizes how we protect the data clients entrust to the 3R Performance Tracking platform.
Security Posture
Tenant Isolation
Every record in the platform is scoped to an organization (tenant) at the database level. Cross-tenant reads, writes, updates, and deletes are blocked at two enforcement layers: a row-level security predicate on every table and a per-row trigger that validates the caller's organization on every insert. A user signed in to organization A cannot access organization B's data even by manipulating object IDs in API calls.
Authentication
Authentication is provided by Supabase Auth (powered by GoTrue). Passwords are subject to a strict policy: minimum 12 characters with mixed case, a number, a symbol, and rejection of known-leaked passwords from the HaveIBeenPwned database. Failed login attempts trigger lockout protection. Session tokens are JWTs signed by the platform key, validated on every request.
Federated identity (SAML / OIDC + SCIM) for enterprise customers using Azure AD, Okta, or Google Workspace is on the roadmap.
Authorization
Three role tiers (super_admin / admin / inspector) are mapped to a granular permission catalog. Permissions follow the convention <resource>.<action> (e.g. cost.create, invoice.send). The role-to-permission mapping is per-organization, allowing tenants to customize delegation. Maker-checker separation of duties is supported for approval-flagged permissions.
Encryption
All traffic to and from the platform uses TLS 1.2 or higher. HSTS is enforced. Data at rest is encrypted by Supabase's storage layer (AES-256). Backups are encrypted in transit and at rest.
Audit Logging
Every insert, update, and delete on a business table is captured in an append-only audit log with the actor's user ID, role, IP address, user agent, before/after row state, and a severity flag. The audit log is super-admin-readable only and tamper-resistant: direct UPDATE on audit rows is blocked at the database trigger level. Retention defaults to seven years.
Soft Delete & Retention
Deletes are soft by default — records are flagged with a deletion timestamp and the deleting user's ID, then hidden from all reads via row-level security. Hard deletion (purge) requires the super-admin role and a configurable retention window (default seven years for accounting records, longer for inspection records subject to PHMSA "life of pipeline" requirements).
Application Security
Content Security Policy with strict directives, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locked down. Subresource Integrity hashes pin every CDN-loaded dependency. CSV exports neutralize formula-injection payloads (OWASP CSV Injection mitigation). HTML rendering uses a hardened escape function covering attribute, content, and template-literal contexts.
Static Analysis
Every push and pull request runs Semgrep (OSS rule packs covering OWASP Top 10, JS-specific footguns, SQL injection, and secret-string detection), gitleaks for secret-history scanning, and project-specific sanity checks (JS syntax validation on every script, atomicity verification on every database migration). CI failure blocks merge.
Privacy
Data We Collect
Project metadata, quality and productivity inspection records, cost and invoice data tied to inspections, user account information (email, role, project assignments). We do not collect or store payment information; we do not embed third-party advertising trackers; we do not sell data.
Where Data Is Stored
Customer data is hosted in Supabase's US-East region on AWS infrastructure. The application frontend is served by Vercel from a global edge network; only static assets (no user data) traverse the edge.
Subprocessors
A complete list of subprocessors and the data they process is published at /subprocessors.html.
Subject Rights
For California residents (CCPA / CPRA), EU residents (GDPR), and any other applicable privacy framework: requests for access, correction, deletion, or portability of personal data should be sent to the contact below. We respond within 30 days.
Compliance
SOC 2
SOC 2 Type I readiness assessment is scheduled. Status: in scope, not yet certified.
PHMSA Record Retention
For pipeline inspection clients subject to 49 CFR 192/195 record retention, the platform supports per-table retention windows extending up to "life of pipeline" via the super-admin retention configuration. Default retention for accounting records is seven years (IRS / SOX compatible).
Data Processing Agreement
An executed DPA is available on request for clients subject to GDPR or CCPA processing-agreement requirements. The platform's underlying subprocessors (Supabase, Vercel) operate under their own published DPAs which we flow down.
Operational Practices
Backups
Daily automated backups with point-in-time recovery (PITR) for the configurable PITR window. Backup files are encrypted at rest. Restoration tested quarterly.
Monitoring
Application errors are captured via Sentry with PII scrubbing on the client (employee names, financial values, project names are stripped before any payload leaves the browser). Uptime monitoring on a 5-minute interval pings both the application and the API endpoint.
Incident Response
Security incidents are triaged and contained on a 24-hour SLA for high-severity events. Affected customers are notified per the contractual notification clause and applicable law.
Penetration Testing
Annual third-party penetration test scheduled. Scope includes the application's authentication, authorization, and data-isolation surface. First test: planned.
Documentation
The full set of governing documents:
Contact
Security questions, vulnerability reports, subject access requests, or DPA execution: contact 3R Inspection Services through the email address on file with your account, or through the public 3R Inspection Services contact channel. We aim to acknowledge within two business days.
This Trust Center is informational. It does not modify or replace any contractual terms between 3R Inspection Services and a client; the executed agreement governs.