Honest, current state — not aspirational claims.
FAFFLY is currently in a private build phase. We are onboarding our first 20 customers as Founding Partners. This page reflects our current operational posture, not a finished compliance program.
All customer data is hosted on:
Data is encrypted in transit via TLS 1.3 and at rest via AES-256, as provided by Supabase and Vercel infrastructure defaults. We do not currently operate independent encryption key management.
User authentication is handled by Supabase Auth with bcrypt password hashing. Sessions are JWT-based with 1-hour expiry.
All customer data tables use Postgres row-level security to enforce tenant isolation. No FAFFLY employee accesses customer data without your written consent.
We are working toward SOC 2 readiness as we grow. We do not currently hold any third-party security certifications. We commit to GDPR and CCPA principles in our handling of personal data, but have not yet completed a formal compliance review. Our roadmap includes:
Found a security issue? Email hello@faffly.co with the subject line ‘security’. We commit to acknowledging within 48 hours.
The third-party services that process customer data on our behalf:
| Provider | Purpose | Region | Security |
|---|---|---|---|
| Supabase | PostgreSQL database + auth | AWS us-west-2 | supabase.com/security → |
| Vercel | Web hosting / edge | Global, US origin | vercel.com/security → |
| Resend | Transactional email | North America | resend.com/legal/subprocessors → |
| Shopify | Customer/discount API | Per Shopify standards | shopify.com/legal → |