HealthWatch Global
DashboardDiseasesCountriesAlertsCompareReportsPricingAbout
Sign inPilot →Create account
HealthWatch Global·© 2026
AboutData methodologyPrivacy PolicyTerms of ServiceLegal noticeContactInstitutional PilotDPAInstitutionalRSScontact@healthwatch-global.com

We use local storage to remember your preferences and measure audience anonymously (Vercel Analytics — no personal data collected). Privacy Policy

Back
IT Security

Security & IT Compliance

Document for IT and InfoSec teams

EU-hosted dataAES-256 + TLS 1.3 encryptionBreach notification < 24hGDPR Art. 28 & 32 compliant

This page answers the most common IT security questions when evaluating HealthWatch Global. If your IT team has a standard checklist, send it directly — we respond in writing within 2 business days.

Send your IT checklist →

Written response within 2 business days, in a format compatible with your procurement process.

Read the full DPA (GDPR Art. 28) →Institutional procurement process →

Hosting & data location

Where is data hosted?

Database and authentication: Supabase, AWS eu-central-1 region (Frankfurt, Germany). Web app and API: Vercel, EU edge region enabled. Transactional email: Brevo (Sendinblue SAS), Paris, France. All data remains within the European Union.

Are data transferred outside the EU?

No for health surveillance and account data. Infrastructure logs may transit through global Vercel edge CDN nodes, covered by Standard Contractual Clauses (SCCs). No transfers to third countries not covered by an adequacy decision or SCCs.

Is an offline or on-premise deployment available?

No. HealthWatch Global is a cloud SaaS service only. On-premise deployment is not available at this stage.

Encryption

Encryption in transit

HTTPS enforced on all routes. TLS 1.2 minimum, TLS 1.3 preferred. Unencrypted HTTP connections are automatically redirected to HTTPS.

Encryption at rest

AES-256 managed by Supabase (AWS RDS encrypted volumes). User passwords are never stored in clear text — hashed with bcrypt via Supabase Auth.

Backup encryption

Supabase automated backups are encrypted at the same level as production data (AES-256, same AWS region).

Access control

How is data access controlled?

Supabase Row-Level Security (RLS) enabled on all tables: each user can only access data within their organization. API routes use the Supabase service role only for system operations (crons, webhooks) — never exposed client-side.

Least-privilege principle

Application roles are distinct: user role (read-only, own org), service role (cron operations, limited read-write on system tables), admin role (restricted to /admin interface, protected by Supabase Auth + DB role check).

Multi-factor authentication (MFA) available?

Not natively at this stage. Authentication relies on Supabase Auth (secure JWTs, expiring sessions). MFA is on the Enterprise roadmap.

Session management

JWT sessions with automatic expiration and rotation via Supabase Auth. On logout or account termination, tokens are immediately invalidated.

Backups & availability

Backup frequency

Automatic daily database backups via Supabase. Point-in-time recovery (PITR) available on Supabase Pro plan (7-day retention).

Availability SLA

99.9% uptime target (combined Vercel + Supabase infrastructure). A written SLA is included in Team and Enterprise subscriptions.

Recovery time objective (RTO / RPO)?

Estimated RTO: < 4 hours for full restoration. RPO: < 24 hours (daily backup frequency). These values are indicative and can be formalized by contract for Enterprise subscriptions.

Breach notification & incident response

Breach notification timeline

Notification to the Controller within 24 hours of becoming aware, in accordance with GDPR Art. 33. Notification includes: nature of the breach, categories and volume of data affected, measures taken and planned corrective actions.

Incident response process

1) Detection (Sentry monitoring + Supabase alerts) → 2) Containment (revoke compromised access) → 3) Controller notification < 24h → 4) CNIL notification if high risk < 72h → 5) Post-incident report available on request.

Vulnerability disclosure

Vulnerability reports can be sent to security@healthwatch-global.com. We respond within 5 business days with an acknowledgement and estimated remediation timeline.

Sub-processors & supply chain

Sub-processor list (GDPR sub-processors)

Supabase Inc. (DB & Auth, Frankfurt), Brevo/Sendinblue SAS (email, Paris), Vercel Inc. (hosting & CDN, EU edge), Stripe Inc. (payments, EU/US — SCCs). Full list with each sub-processor's DPA is available in our GDPR Art. 28 DPA.

Notification of sub-processor changes

Pursuant to GDPR Art. 28(2), the Controller will be notified of any intended addition or replacement of a sub-processor with reasonable prior notice, giving the Controller the opportunity to object.

Certifications & audits

Are you ISO 27001 certified?

No. HealthWatch Global is an early-stage infrastructure. We apply equivalent technical controls (encryption, RLS, RBAC, monitoring, backups) and document them in a verifiable manner. ISO 27001 certification is planned from 2027.

Has a security audit or penetration test been conducted?

No formal pentest at this stage. A source code audit can be arranged for Enterprise subscriptions on request. We provide access to the private repository for technical review.

SOC 2 report available?

No. Supabase (our database provider) is SOC 2 Type II certified — their report is available through their Trust Center. Vercel also holds SOC 2 attestations.

Does your IT team have a specific checklist?

Send us your standard question list (any format — Word, PDF, or email). We respond point by point in writing within 2 business days, in the format your procurement process requires.

Send IT checklist →