Protecting your business data is foundational to AuraSea OS. This page describes our security practices and ongoing commitments. We update this page as our practices evolve.
1. Where your data lives
Customer business data — including all data you connect or enter into AuraSea OS — is stored in Supabase's Singapore region (Asia Pacific Southeast 1). Data does not leave this region for primary storage. Backups are managed within the same region under Supabase's regional retention controls.
Marketing website hosting (auraseaos.com) is provided by Vercel using their global edge network for fast delivery. The marketing site does not store customer business data.
2. Encryption
All data transferred between your devices and our servers is encrypted in transit using TLS 1.2 or higher. Data at rest in our Supabase database is encrypted using AES-256. Backups are encrypted. Passwords are never stored in plaintext; we use industry-standard hashing (bcrypt or argon2).
3. Access controls
Access to production systems is restricted to authorized AuraSea team members on a need-to-know basis. We require multi-factor authentication on all admin accounts. Production access is logged and reviewed. We do not access individual customer accounts except for authorized support requests, scheduled maintenance, or in response to suspected fraud or security incidents.
4. Authentication
Customer accounts are authenticated using email + password or LINE login. We support multi-factor authentication (MFA). We recommend enabling MFA on every account.
5. Third-party integrations
When you connect external systems (PMS, POS, channel managers) to AuraSea OS, we use OAuth 2.0 or other secure authentication methods where supported. We request only the minimum permissions needed to provide the service. You can revoke access at any time from your account settings.
6. Incident response
We monitor our systems for security incidents. If a data breach occurs that affects your data, we will notify you within 72 hours of discovery, in line with PDPA requirements, and report to the Personal Data Protection Committee (PDPC) of Thailand as required.
7. Data deletion
When you delete your account, your business data is removed from active systems within 30 days and from backups within 90 days. Some data may be retained longer where required by Thai law (e.g., financial records for tax purposes). You can request earlier deletion by contacting hello@auraseaos.com.
8. Vendor security
Our vendors (Vercel, Supabase, Resend, Omise, Google) maintain their own security certifications including SOC 2, ISO 27001, and GDPR compliance. We review vendor security postures annually.
9. Reporting a security issue
If you discover a security vulnerability or have a security concern, please email security@auraseaos.com. We aim to respond within 48 hours and will not pursue legal action against good-faith security researchers who responsibly disclose issues to us.