security-statement-v0.1.md
1. Overview
TradeBoard is built to protect business vehicle deal data and restrict access to the people listed on each deal.
Security is a shared responsibility. TradeBoard protects the platform. Customer organisations and users must manage who they invite, keep account access secure and upload only appropriate information.
2. Hosting and infrastructure
TradeBoard is hosted on Cloudflare Workers. Customer application authentication, database and file storage are provided by Supabase.
Admin routes are protected separately using Cloudflare Access.
3. Authentication
Customer users sign in through Supabase authentication. Admin access is protected separately through Cloudflare Access.
Users must keep their email account and login access secure.
4. Access control
TradeBoard uses deal-level access. Users should only see deals where they are listed or otherwise authorised.
Users may be listed as seller, buyer, seller broker or buyer broker.
5. Files and storage
Uploaded deal files are stored in Supabase Storage. Deal file access is intended to be controlled through authenticated TradeBoard routes rather than public bucket access.
Users should not upload passwords, payment card data, unnecessary personal data or files they are not authorised to share.
6. Audit and timeline records
TradeBoard keeps workflow history such as comments, uploads, status changes and legal document acceptance records. These records help show what happened and when.
7. Email notifications
TradeBoard sends operational emails for events such as invitations, file uploads, comments and status changes. Emails should not be treated as a secure archive of all deal data.
8. Backups and recovery
Database and storage backup arrangements depend on Supabase configuration and TradeBoard operational processes.
During beta, TradeBoard does not provide fixed backup, restore time or recovery point commitments. Formal backup and recovery commitments should be finalised before paid launch.
9. Vulnerability reporting
Security issues should be reported to:
hello@tradeboard.uk
Please include enough detail to understand and reproduce the issue. Do not access data that is not yours, disrupt the service or publicly disclose an issue before TradeBoard has had a reasonable opportunity to respond.
During beta, TradeBoard aims to acknowledge security reports within a reasonable time and will prioritise serious issues based on risk and impact.
10. Incident response
If TradeBoard becomes aware of a security incident, it will investigate, take containment steps and notify affected customers or regulators where legally required.