Bespokely

Security and Technical & Organisational Measures

Last updated: 20 May 2026 Version: 1.0 Permanent link to this version: bespokely.io/legal/security/v1.0

This page describes the technical and organisational measures ("TOMs") that Bespokely Inc. ("Bespokely") implements to protect personal data processed in its products, in fulfilment of Art. 32 GDPR and equivalent obligations under other data-protection laws.

This page applies to all products operated by Bespokely Inc. Where a product differs materially from the platform baseline, this is called out in §13 Product-specific notes.

§1 Information security governance

  • A documented information security programme reviewed at least annually.
  • Security ownership at the founder level (Edgardo Romo, accountable executive).
  • Security policies covering: access control, acceptable use, incident response, vendor management, change management, business continuity.
  • All employees acknowledge the security policy at hire and on each material update.

§2 Access control

§2.1 Identity and authentication

  • Individual named accounts for every Bespokely operator. No shared credentials.
  • Mandatory multi-factor authentication (TOTP minimum) for all administrative access to production systems.
  • Single sign-on via the Bespokely identity provider for any operator with production access.
  • Customer end-users authenticate via the relevant product's authentication system (Supabase Auth), with bcrypt-hashed passwords and optional TOTP.

§2.2 Authorisation and least privilege

  • Need-to-know principle: access to customer data is granted only to operators who require it for a specific task.
  • Role-based access control at the application layer.
  • Row-Level Security (RLS) policies on all database tables containing personal data.
  • The Supabase service_role key is held in server-side environment variables only; it is never exposed to client-side bundles.

§2.3 Joiner/mover/leaver process

  • Provisioning by ticket against the identity provider.
  • Quarterly access review by the security owner; departed staff removed within 24 hours of offboarding.

§3 Data encryption

§3.1 At rest

  • AES-256 encryption for all customer data stored in PostgreSQL, object storage (Supabase Storage), and backups.
  • Database backups encrypted with provider-managed keys; key rotation per provider's policy.
  • Sensitive secrets (API keys, OAuth tokens, payment references) stored in dedicated secret managers or encrypted at the column level using pgsodium / pgcrypto.

§3.2 In transit

  • TLS 1.2 minimum; TLS 1.3 preferred. Insecure protocols are disabled.
  • HSTS enabled on all customer-facing domains.
  • Database connections use SSL with sslmode=require minimum (verify-full preferred for server-to-database connections).
  • Internal service-to-service calls use TLS terminated at the receiving service.

§4 Network and infrastructure security

  • All infrastructure runs on managed providers (Vercel, Supabase) with their underlying compliance posture (Vercel and Supabase rely on AWS infrastructure for the EU region — AWS holds ISO 27001, SOC 2 Type II, and other certifications).
  • DDoS protection at the edge via Vercel.
  • Network segmentation between production, staging, and development environments. No shared databases across environments.
  • Per-tenant data isolation: one Supabase project per customer for customer-data workloads.

§5 Application security and software development lifecycle

  • All code changes go through pull-request review.
  • Static analysis (linters, type checkers, dependency scanning) runs on every change.
  • Dependencies tracked via lockfiles; updates reviewed at least monthly.
  • Production deployments are immutable and version-pinned; rollback is one click.
  • Secrets never committed to source control; pre-commit secret-scanning enabled.
  • Web vulnerabilities mitigated through framework-level protections (CSRF tokens, output encoding, parameterised queries) and platform-level protections (Vercel WAF, CSP headers).

§6 Logging, monitoring, and audit

  • Application-level audit log records every mutation of personal data: actor, timestamp, record id, action. Audit log payloads reference record ids only — they do not contain the personal data itself.
  • Database audit log enabled at the Supabase level; operator queries against tables with personal data are logged.
  • Vercel runtime logs capture request-level data (IP address truncated, timestamp, path, status). Retention: 30 days.
  • Sentry captures application errors with PII scrubbing enabled (email and free-text fields redacted before transmission).
  • Audit logs retained for 3 years to satisfy the Art. 7 GDPR consent-proof requirement and operational forensic needs.

§7 Incident detection and response

  • 24×7 alerting on availability and security signals (failed-auth spikes, unusual data export volumes, error spikes).
  • Documented incident response plan with severity classification.
  • Customer notification: for any confirmed security incident affecting a customer's personal data, Bespokely notifies the customer (controller) without undue delay and in any case within 24 hours of confirmation. This is faster than the 72-hour controller-to-DPA window under Art. 33 GDPR to give controllers lead time.
  • Post-incident: written postmortem within 14 days, including remediation actions and updates to security documentation if applicable.

§8 Backup and business continuity

  • Encrypted daily backups of all customer databases.
  • Backup retention: 7 days, with point-in-time recovery available within that window.
  • Backups stored in the same EU region as the primary data (Frankfurt for EU-region products).
  • Quarterly restore tests for at least one production database to validate recoverability.
  • Documented disaster recovery plan with target RTO ≤ 4 hours and RPO ≤ 24 hours for in-region failures; longer for region-wide failures.

§9 Personnel security

  • Background checks for all operators with production access, subject to applicable law.
  • Confidentiality obligations in every employment and contractor agreement.
  • Annual security awareness training, including phishing simulation.
  • Bring-your-own-device permitted only for non-production access; production access from managed devices only.

§10 Vendor and sub-processor management

  • Every sub-processor under a written Data Processing Agreement that includes Standard Contractual Clauses where applicable.
  • Annual review of each sub-processor's security posture and DPF / certification status.
  • Public sub-processor list maintained at bespokely.io/legal/sub-processors, updated with 30-day advance notice of changes per the customer DPA.
  • Customers retain the right to object to a new sub-processor.

§11 Data location and sovereignty

  • Customer data for products serving EU customers is hosted in AWS eu-central-1 (Frankfurt, Germany).
  • No multi-region replication of customer data outside the EU.
  • LLM-inference sub-processors (OpenAI, Anthropic) operate in the USA and process prompts there under DPF / SCCs; we configure these providers to opt out of training on customer content where the option exists.
  • Customer-content data sent to LLMs is minimised and may be redacted at the application layer where the use case allows.

§12 Data subject requests and assistance to controllers

  • We assist customers (controllers) in fulfilling data subject requests under Art. 12–22 GDPR within the SLA defined in the customer DPA (typically: response to the controller within 14 days of receiving a routed request).
  • We provide controllers with the tooling needed to: export customer data, delete records on request, and pseudonymise records where deletion is not yet possible due to legal retention obligations of the controller.

§13 Product-specific notes

Product Notes specific to TOMs
Bespokely Website Standard baseline applies. Native analytics only. No third-party tracking processors.
Bespokely Client Portal Standard baseline plus: document storage uses Supabase Storage with server-side encryption; e-signature audit trails are stored in append-only fashion; signed-document hashes are notarised in the database with timestamps.
Bespokely AI Assistant Standard baseline plus: LLM provider selection per deployment is documented in the order confirmation; conversation logs are retained per the customer's configured retention period (default 90 days); LLM prompts are redacted of identifying customer data where feasible.
Bespokely AI (Hospitality) Standard baseline plus: integrations with hotel PMS or booking systems are scoped per deployment and detailed in the order confirmation.

§14 Certifications and attestations

The following certifications are held or in scope. Where Bespokely itself is not yet certified, we rely on the certifications of the underlying infrastructure providers.

  • AWS (underlying infrastructure for Vercel and Supabase EU region): ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS Level 1, C5 (Germany).
  • Vercel: SOC 2 Type II, ISO 27001.
  • Supabase: SOC 2 Type II.
  • Bespokely Inc. (direct): SOC 2 Type II — in scope for 2026 (planned).

§15 Updates to this page

Material updates are versioned (v1.0, v1.1, etc.) and notified to active customers by email at least 30 days before they take effect, except where an update tightens (rather than relaxes) a measure, in which case it takes effect immediately and is notified within 30 days after publication.

Version Effective from Summary
1.0 2026-05-20 Initial publication of platform-wide TOMs covering all products operated by Bespokely Inc.

Previous versions are preserved at bespokely.io/legal/security/v[VERSION].

Contact for security questions: Bespokely Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA · privacy@bespokely.io · +1 (512) 348-6588