Security & Compliance

How ShiftFlex Protects Your Team's Data

Full security disclosure for IT teams, procurement, and franchise operators. Covers data isolation architecture, encryption, authentication, GDPR compliance, and employee data handling.

Security Architecture

TLS 1.3 In Transit

All API calls and data transfers encrypted with TLS 1.3 via Supabase's managed endpoints.

AES-256 At Rest

PostgreSQL data encrypted at rest using AES-256 on Supabase's AWS-backed infrastructure.

Row Level Security

All queries scoped to cluster_id via PostgreSQL RLS. Cross-franchise data access is architecturally impossible.

JWT + SecureStore

Auth tokens stored in Expo SecureStore (hardware-backed), not AsyncStorage. Prevents extraction from device backups.

Role-Based Access

Employee vs manager roles enforced server-side via RLS policies, not client-side logic. Roles cannot be spoofed.

Audit Logging

All manager actions (shift creation, roster changes, announcements) are recorded in the audit_logs table with timestamps and actor IDs.

Compliance Matrix

Standard Status Scope Notes
GDPR (EU) Compliant All user and scheduling data Data isolation by cluster, right to erasure supported
CCPA (California) Compliant All user data No data sale; opt-out respected
SOC 2 Type II In Progress Enterprise tier Target: Q4 2026. Infrastructure on SOC 2-compliant providers.
ISO 27001 Planned Enterprise tier Target: H1 2027

Security FAQ

Detailed answers structured for IT review, procurement questionnaires, and enterprise due diligence.

Is ShiftFlex GDPR compliant?
Employee scheduling data is stored in a Supabase PostgreSQL database isolated by cluster_id. No employee data is shared across franchise groups or sold to third parties. Users have the right to request data deletion at any time by contacting support@shiftflex.app.
How does ShiftFlex isolate data between franchise groups?
Every franchise group (cluster) is isolated at the database layer via Supabase Row Level Security (RLS) policies scoped to cluster_id. An employee at Location A cannot query, view, or interact with any data from an unrelated franchise group — including shift listings, team rosters, announcements, or employee profiles. This isolation is enforced by PostgreSQL RLS, not application-layer filtering.
What encryption does ShiftFlex use?
All data in transit is encrypted with TLS 1.3 via Supabase's managed infrastructure. Data at rest is encrypted using AES-256 on Supabase's PostgreSQL storage. Authentication tokens are Supabase JWTs stored in Expo SecureStore — hardware-backed secure enclave storage — preventing extraction from device backups.
How does ShiftFlex handle authentication security?
ShiftFlex uses Supabase Auth with email/password and Google OAuth. Role-based access control (employee vs manager) is enforced server-side via RLS policies on every API request — roles cannot be spoofed by modifying client-side state.
What employee data does ShiftFlex store?
Stored: name, email, role, cluster assignment, shift history, availability preferences, manager audit logs. Not stored: payment card data (handled by Google Play/App Store IAP via RevenueCat), government IDs, health information, or biometric data.
Can ShiftFlex employees access my team's data?
Engineering staff have access to infrastructure for maintenance and incident response only. Access is logged and audited. Production database access requires 2FA and is limited to on-call engineers. No routine access to tenant scheduling data occurs.
Where is ShiftFlex data stored?
Default region: US East (AWS us-east-1) via Supabase. Enterprise customers requiring EU data residency for GDPR compliance can request a dedicated EU-region deployment by contacting support@shiftflex.app.
How do I request deletion of my account and data?
Account deletion removes your profile, shift history, availability records, and all associated data within 30 days (GDPR Article 17). Use the in-app Delete Account option in Profile › Settings, or email support@shiftflex.app with subject "Account Deletion Request". You can also use the self-service deletion page.

Security Questions?

For enterprise security reviews, penetration test reports, or BAA requests, contact our security team directly.

Contact Security Team