Legal · RSPNSBL

Security & Data Posture

RSPNSBL handles regulatory data — by design, the substance is sensitive. This page describes our security architecture today and the formal certifications on our roadmap.

Last updated: 24 April 2026

Placeholder notice. This document is a structural placeholder. Final wording is being prepared with legal counsel. For specific questions, please contact legal@rspnsbl.world.

Data residency

Production data is hosted in the European Union on Supabase (PostgreSQL). Static assets and edge logic are served via Cloudflare Pages. No production data is stored outside the EU without explicit safeguards.

Encryption

In transit. TLS 1.3 enforced across all platform endpoints.
At rest. All data stored in Supabase is encrypted at rest using AES-256.
Secrets. Service-role keys and credentials are managed via secrets stores, not committed to source control.

Access control

The platform uses Postgres Row-Level Security (RLS) for all tenant-segmented data. Write access to shared tables is restricted at the application layer and enforced at the database layer. Audit logs record all reviewer actions and ingestion events on an append-only basis.

Trust gates

The platform's architecture incorporates structural trust mechanisms: a 6-rule PostgreSQL ingestion validation gate, an evidence qualification gate (confidence ≥ 70 or human review), append-only audit tables, deterministic capability derivation, and end-to-end traceability from disclosure back to source legal text. These are described in detail in the Architecture section of the platform site.

GDPR posture

We operate as a data controller in respect of users of rspnsbl.world and as a data processor in respect of customer data processed through the connected product applications. Data Processing Agreements are available on request for organisational customers.

Certifications roadmap

RSPNSBL is currently pre-certification. Formal certifications targeted on the roadmap include:

SOC 2 Type II — initial scoping in 2026, audit window 2026–2027.
ISO 27001 — under evaluation in parallel with SOC 2.
ISO 42001 (AI management system) — relevant given the platform's use of AI extraction; on the longer horizon.

Reporting security issues

If you discover a security issue, please report it confidentially to security@rspnsbl.world. We aim to acknowledge reports within two working days. We do not currently operate a paid bug bounty programme.

Subprocessors

The current production subprocessors are Supabase Inc. (database hosting), Cloudflare Inc. (edge hosting and DNS), Anthropic PBC (Claude API for extraction), and Resend (transactional email). Each operates under its own DPA. The full subprocessor list is available to organisational customers on request.