CAIQ-Lite Self-Assessment

Where is primary application and customer data stored?

All primary data lives in Supabase Postgres in Ireland (eu-west-1). The edge layer (Vercel) caches static content in Frankfurt (fra1) and other EU edges.

Is EU data residency guaranteed?

For primary data: yes. Optional AI features (Anthropic, USA) are opt-in per account and clearly labeled in the UI. Customers who don't want them can disable the feature per account.

Which sub-region is used and can it be changed?

Currently eu-west-1 (Ireland). A switch to eu-central-1 (Frankfurt) is available on request for Enterprise customers; it is not the default today.

How do end users sign in to Marginly?

Currently via magic link (email + time-limited token, valid for 15 minutes). Full password-based authentication with mandatory MFA for admins is under development; planned activation Q3 2026.

Is MFA mandatory?

Not required for end users today (magic link replaces the password). For internal admin access to Vercel, Supabase, Anthropic, Resend, and Plausible, MFA is enforced across the board.

How is session expiry handled?

Sessions expire after 30 days of inactivity. Security-relevant actions (account switching, invites) require a fresh session (≤ 15 minutes).

Is brute-force protection in place?

Yes: rate limiting on login and magic-link endpoints (5 requests / 5 minutes / IP). After repeated failures, the account is temporarily locked.

How is data encrypted in transit?

TLS 1.2+ for all connections (browser→edge, edge→DB, service-to-service). HSTS enabled with a one-year max-age.

How is data encrypted at rest?

AES-256 at the disk level via Supabase and Vercel. Additionally, application-level encryption (AES-256-GCM) for secrets in the AppSetting table (e.g., OAuth tokens, API keys).

How are cryptographic keys managed?

The master encryption key is stored as a Vercel environment secret, not in the database. Rotation: annually, or upon suspected compromise. Sub-processor keys (Supabase, Vercel) are managed by the providers and documented in their SOC 2 reports.

Is Point-in-Time Recovery (PITR) available?

Yes, 7 days rolling at Supabase. Recovery to any point in time within this window (RPO < 1 minute).

How frequently are backups taken?

Continuous WAL streams (PITR) plus daily snapshots, retained for 30 days.

Are restore tests performed?

Yes, every six months. Last successful test: February 2026. Result documented in the internal audit log.

What RTO / RPO do you target?

RTO: 4 hours for full restoration. RPO: < 1 minute (via continuous WAL streaming).

Do you maintain an audit log?

Yes. Security-relevant actions (login, logout, account switching, access to tenant data, configuration changes) are recorded in a separate AuditLog table.

How long are audit logs retained?

365 days. After that they are automatically deleted. Customers can export their own audit logs to CSV at any time.

Do you use sub-processor logs?

Yes. Vercel access logs (14 days) and Supabase DB logs (7 days) are correlated during incident response.

Who has access to the logs?

Only the two Managing Directors (Alexander Schnelle, Bhavesh Tailor) and the internal Data Protection Officer. Access is via MFA-protected admin consoles and is itself logged.

How long does it take you to report a data breach to the supervisory authority?

Within 72 hours of becoming aware, in accordance with Art. 33 GDPR. Affected customers are notified in parallel or earlier, depending on severity.

What does the internal escalation path look like?

Tier 1: Tech-Lead on call (within 30 min). Tier 2: Management + DPO (within 2 h). Tier 3: External counsel / forensic team (within 24 h, if required).

Is there an incident response plan?

Yes, documented. Reviewed every six months and tested once a year as a tabletop exercise.

Are customers notified in case of an incident?

Yes. For high-risk incidents under Art. 34 GDPR, affected customers are notified directly by email within 72 hours; for low-risk incidents, information is shared in the status-page post-mortem.

Is there a complete, current list of sub-processors?

Yes, publicly available at /sicherheit and in the Privacy Policy. Currently: Vercel, Supabase, Anthropic, Resend, Plausible.

Is a DPA under Art. 28 GDPR in place with all sub-processors?

Yes. Vercel and Supabase: standard DPA via their self-service. Anthropic: Commercial Terms incl. DPA from 2026-01-01. Resend and Plausible: standard DPA via self-service.

Which international transfer mechanisms are used?

Vercel and Anthropic (USA): EU-US Data Privacy Framework + EU Standard Contractual Clauses (2021/914). Resend (UK): adequacy decision (EU 2021/1772). Supabase and Plausible: processing exclusively within the EU.

Are customers informed about changes to the sub-processor list?

Yes. At least 30 days before activating a new sub-processor, by email to all active account owners. Customers can object; in that case we work out a case-by-case arrangement.

Can customers export their data?

Yes. A complete data export as ZIP (CSV + JSON) is available at any time via the account settings. Provided asynchronously within 24 hours.

How is the right to erasure implemented (Art. 17 GDPR)?

Account deletion via the account settings, confirmed by email. Full deletion of primary data within 30 days, of backups within a further 7 days (PITR window).

What happens to data after the end of the contract?

At the customer's choice: (a) full deletion within 30 days, or (b) return as a ZIP export followed by deletion. Accounting-relevant data (invoices) is retained for 10 years for legal reasons (§ 257 HGB / § 147 AO).

Is there a retention policy for inactive accounts?

Yes. Trial accounts without a login are automatically deleted after 90 days. Paid accounts with a canceled subscription are deleted 90 days after the end of the contract (unless the customer explicitly requests longer retention).