How we protect
your data.

The cars in your building are worth millions. The data about them — valuations, owner details, service history, provenance records — deserves the same level of care. Here is how we protect it.

Authentication

• All user authentication is handled via Supabase Auth with industry-standard JWT tokens, verified server-side on every API request
• Role-based access control with three distinct roles: Owner Operator (full admin), Staff (operational access), and Vehicle Owner (client view of their own cars only)
• Invite-only team access — no one can join your facility account without an explicit invitation from an administrator
• All protected routes require both a valid JWT and a verified facility membership before any data is returned

Data storage

• All data is stored in PostgreSQL hosted on Supabase infrastructure within the European Economic Area
• Data is encrypted at rest using AES-256 as standard on Supabase
• All data in transit is encrypted via TLS 1.2 or higher, enforced by both Supabase and Railway
• Automated backups with point-in-time recovery, provided as standard by Supabase

Infrastructure

• Our API is deployed on Railway, a platform with SOC 2 Type II compliance
• All environment variables and secrets are managed via Railway and Supabase — never exposed in code or version control
• Dependencies are reviewed and updated on a regular basis

Provenance integrity

Remise maintains an immutable provenance log for every vehicle. Every intake, condition check, service, and status change is written as a permanent record that cannot be altered after the fact. This creates a verifiable chain of custody that follows the car — to auction, to sale, to insurance claim.

This is not a soft feature. It is enforced at the API level: all provenance entries are written automatically by the server and are not editable through any interface.

What we are still building

We believe in being transparent about what is live versus in development. The following security and compliance items are on our roadmap:

• Formal penetration testing by an independent third party
• Two-factor authentication for operator accounts
• Granular audit logging for all admin actions
• ISO 27001 certification (planned as the business scales)

Reporting a vulnerability

If you believe you have found a security issue in Remise, please contact us at hello@remise.co.uk. We will acknowledge your report within 48 hours and work to resolve verified issues promptly.