Everything procurement needs, in one place

Application and primary Postgres database in Singapore (ap-southeast-1) on Vercel + Neon. Files (Vercel Blob) sit in the same region. Limited transfers go to Stripe (global) for billing and Resend (US) for transactional email — both bound by data-protection contracts; details in the DPA.

Yes. Postgres is encrypted at rest by Neon. Backups are encrypted, retained 30 days, with point-in-time recovery available within the retention window. Vercel Blob storage is encrypted at rest by Vercel. All transit is over TLS 1.2+.

Salted hashes via Better Auth — we never see, log, or store plaintext passwords. Credential endpoints are protected by Vercel BotID and a database-mode rate limiter (5 attempts / 15 min on /sign-in, /sign-up, /reset-password; 3 / 15 min on /forget-password).

Every database query is filtered by your organization id server-side. The isolation is locked in by an integration test in tests/cross-tenant.test.ts that round-trips real rows through Postgres in two orgs and asserts a query in org A cannot see org B's data — runs on every CI build.

Without undue delay, and in any event within 72 hours of becoming aware of a confirmed personal-data breach affecting your data. The notification includes the nature of the breach, categories and approximate counts, likely consequences, and measures taken — sent to the email on file for the organization owner. Full text in /dpa Section 10.

Yes — through the tiered audit-rights flow in /dpa Section 11. Default: a security questionnaire response within 30 days. We share third-party attestation reports under NDA when available. On 30 days' written notice, no more than once per 12-month period, and at customer cost, you may engage a mutually agreed independent auditor for a remote audit of agreed scope. On-site audits are out of scope.

Not today. We don't claim certifications we haven't completed. If your procurement requires either, email security@firmworks.com — we'll be honest about whether the trade-off makes sense for your size and ours, and what would unlock starting the journey.

Our standard DPA at /dpa is designed to satisfy GDPR Article 28, Singapore PDPA, and Thailand PDPA. For most buyers, accepting our /terms (which incorporates the DPA by reference) is sufficient. A counter-signed PDF copy is available on request from legal@firmworks.com — we typically reply within 5 business days.

You can export every module as CSV for up to 30 days after cancellation. After that we delete personal data per the retention schedule in /privacy. Encrypted backups roll over in 30 days. Billing records are retained as Thai tax law requires (up to 7 years). Audit logs are retained for 1 year.

A small team of FirmWorks engineers, all bound by written confidentiality obligations. Access is limited to what's needed to operate the Service — not for product analytics, not for AI training (we do not use workspace data to train AI models), not for marketing.

Not today, but we welcome responsible disclosure and respond within 5 business days. Email security@firmworks.com with reproduction steps; reply with "PGP please" to receive an encryption key. Full responsible-disclosure scope at /security.

We update the list at /privacy and /dpa Section 7 and notify organization owners by email at least 14 days before the change takes effect. Customers may object on reasonable data-protection grounds within that window; if the objection cannot be resolved, the affected portion of the Service can be terminated for convenience.