Security at Courrex

• EU-only hosting. All operational data is hosted with Supabase in the Frankfurt region (eu-central-1). No data is transferred to the United States or any third country without GDPR-compliant safeguards.
• Web frontendserved from Vercel's European edge network.
• Push notifications delivered via Apple Push Notification service (US Apple infrastructure) and Firebase Cloud Messaging (US Google infrastructure). Push payloads are short — title, body, deep-link — and contain no sensitive operational data.

• In transit: TLS 1.2+ on all connections. HSTS preload enabled with max-age=31536000; includeSubDomains; preload. Cleartext HTTP is disabled at both the app level and the hosting layer.
• At rest: AES-256 encryption for all database content and object storage (chat photos, voice messages, proof-of-delivery photos).
• Authentication tokens: Supabase JWT-based sessions, signed with HS256. Tokens auto-rotate on session refresh.

• Row-level security (RLS) enforced on every database table. A driver can only read their own assigned stops; an operator can only read the data of drivers in their organization. Policies are auditable in the database schema.
• Service role keys are stored in Vercel environment variables, never bundled with client code. Only the /api/push route on the server side uses the service role for sending push notifications.
• Internal access to production data is limited to two senior engineers and is logged. We do not run analytics or ML training over customer data.

• Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy restricting camera/mic/geo to same-origin only, Cross-Origin-Opener-Policy same-origin.
• Content security: No third-party JS trackers, no advertising SDKs, no fingerprinting libraries.
• Static export for the mobile bundle means the iOS and Android apps ship as pure static HTML/JS/CSS with no server-side rendering on device — reducing the attack surface inside the WebView.
• Privacy manifest (PrivacyInfo.xcprivacy) shipped with the iOS app per Apple's 2024-05 requirement. Declares all collected data types and Required Reason API usage.

• 6-digit driver login codes are stored server-side as Supabase auth credentials with hashed passwords (bcrypt, cost factor 10). Codes can be rotated by the operator at any time; rotating a code immediately revokes the previous code.
• PIN re-lock on the driver device: even after sign-in, the driver enters a 4-digit PIN to resume an idle session. PIN is stored in iOS Keychain / Android Keystore, never transmitted.
• Background location is only collected while a route is active. The moment the driver finishes the route or signs out, GPS sharing stops. Location data from prior routes is auto-deleted after 30 days.

• Email + password authentication via Supabase Auth. Passwords meet OWASP 2023 baseline (8+ chars, stored hashed, no truncation).
• Auto-logout after 4 hours of inactivity (mouse / keyboard / touch / scroll / focus events) — even if the browser tab is left open. This protects shared office computers.
• Multi-factor authentication (TOTP) is on our roadmap and available on Enterprise tier on request.

We follow a documented incident response procedure aligned with GDPR Art. 33-34 requirements:

• On detection of a personal-data breach, we triage within two hours and engage the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours if the breach risks the rights and freedoms of affected users.
• Affected users are notified without undue delay via the email on file plus an in-app banner, with clear information on what happened, what data was involved, and what we're doing to remediate.
• We publish a public post-mortem for any incident affecting multiple operators within 30 days of resolution.

Reporting a vulnerability

If you believe you've found a security issue in Courrex, please email security@courrex.com before disclosing publicly. We acknowledge reports within one business day and aim to remediate critical issues within 7 days. We do not currently pay bounties but we do credit researchers in our public security advisories with their permission.

The full list of third parties that process customer data on our behalf is in our Privacy Policy §7:

• Supabase Inc. — database, auth, storage (EU Frankfurt region)
• Vercel Inc. — web hosting (EU edge)
• Mapbox Inc. — maps and routing (anonymous coordinates only)
• Google LLC — Routes API + auto-translation (anonymous coordinates and message text only)
• Apple Inc. — APNs push delivery
• Google LLC — Firebase Cloud Messaging push delivery

We notify operators of any change to our sub-processor list via the email on file at least 30 days before the change takes effect.

• EU GDPR compliance — full Art. 6 lawful basis documented in our Privacy Policy.
• Estonian Personal Data Protection Act — we are supervised by the Estonian Data Protection Inspectorate (AKI).
• SOC 2 / ISO 27001 — not yet certified. On the roadmap for 2027 once we cross 100 paying operators. We can share our security questionnaire on request.
• Apple App Store + Google Play — we have published privacy manifests and data safety declarations matching this page exactly.

• Database backups taken automatically by Supabase: continuous WAL replication + daily point-in-time snapshots, retained for 7 days (Launch + Scale) or 30 days (Enterprise).
• Object storage (chat photos, audio, proof-of-delivery photos) replicated cross-AZ within the Frankfurt region.
• RTO target: 4 hours for critical service restoration. RPO target: 1 hour of data loss in worst case.

Security and vulnerability reports: security@courrex.com
Privacy and data-subject requests: privacy@courrex.com
General security questions: hello@courrex.com