Security

Last updated: 2026-05-21 · v1.2

This page summarises the technical and organisational measures (TOMs) that suPlay BV applies to protect the Supplier Satisfaction Analysis Platform. It is provided for pre-sales transparency and as the §6 reference from the DPA.

Infrastructure

• Hosting in the Netherlands (TransIP / team.blue), within the EU.
• Encrypted off-site backups to Scaleway Amsterdam, GPG-AES256 encrypted client-side before upload. Daily rotation, 30-day retention on-site, 30-day off-site daily, 12-month off-site monthly.
• Hardened OS (AlmaLinux 9) with SELinux enforcing, fail2ban, restricted SSH (key-only, non-default port), automated security updates.

Data in transit

• HTTPS for all customer and staff traffic; TLS 1.2+; HSTS with long max-age.
• Content Security Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Permissions-Policy restricted.
• Internal AI inference (Ollama) reachable only over an outbound SSH reverse tunnel; no inbound port is exposed for it.

Data at rest

• PostgreSQL database on encrypted volumes.
• Backups encrypted with AES-256 and a passphrase held only on the production host.
• Passwords hashed with bcrypt.
• API tokens hashed with SHA-256; raw tokens never stored.

Access control

• Role-based access with 18 fine-grained permissions (PERM_*) and role weights.
• Multi-tenant scoping via BuyingFirmAccessService; nested routes verify parent-child ownership.
• Admin impersonation limited (ROLE_ADMIN), blocked from impersonating super admins; all impersonation events logged.
• Login throttling (5 attempts / 15 min) + fail2ban on the host.

Application security

• CSRF protection on all state-changing endpoints.
• Session-based CSRF binding; stateless API uses Bearer tokens with rate limits.
• Input validation at the entity and controller level; Doctrine parameterised queries only.
• Partial unique indexes enforcing tenant isolation on invitation and response tables.
• Uploads validated via finfo; size-capped.

Development practices

• Code review before merge; CI runs PHPUnit, lint, and E2E tests on every PR.
• Dependency updates reviewed on a quarterly cadence.
• Production deployments via a documented deploy script; asset-map compilation runs as a non-privileged service user.

Incident response

• Application health monitored via Sentry (EU region, PII-scrubbed).
• Personal data breach notification to affected customers within 72 hours of becoming aware (DPA §9); notification to the Dutch supervisory authority (AP) within 72 hours where applicable under GDPR Art. 33.
• Security contact: privacy@suplay.nl.

Data location

All primary processing and backups occur within the European Union (Netherlands). All active subprocessors operate in the EU; see /subprocessors.

Responsible disclosure

If you discover a security vulnerability in the SSA Platform, please report it to privacy@suplay.nl with a description of the issue and steps to reproduce. We commit to:

• Acknowledge your report within 3 business days.
• Provide a status update within 10 business days.
• Not pursue legal action against researchers acting in good faith.

We ask that you give us a reasonable window to triage and fix before public disclosure, and that you avoid accessing or modifying data that is not your own.

← Back