Security & privacy

Built on Google Cloud. Audit-ready.

EMPOBase is hosted entirely on Google Cloud — the same security floor your country office relies on when it uses Gmail or Drive. This page covers what we guarantee today, what's on the immediate roadmap, and the vendors who touch your data.

Hosting

Google Cloud

Singapore region. EU residency available for Enterprise.

Encryption

In transit + at rest

TLS in transit. Google-managed encryption on every byte at rest.

Isolation

Per-tenant database

Each org gets its own database. No shared rows, no cross-tenant queries.

How requests flow

From your browser to the database, in four hardened layers.

A high-level view of how every authenticated request travels through EMPOBase. Names the layer (Edge / Identity / Application / Storage), not the products underneath.

What we guarantee

The security floor, in plain terms.

Implementation details are kept private for the same reason banks don't publish their network diagrams. The properties below are the ones we commit to and that an external audit will verify.

Tenant isolation

·One database per organisation. Cross-tenant SQL is structurally impossible — there are no shared rows to leak
·Uploads sit in per-tenant storage paths with object-level access controls. Downloads happen via short-lived signed URLs only
·Application-tier requests are scoped to the authenticated tenant on every API call, not just at login

Encryption

·TLS for every connection between your browser, our app, and our database. HSTS enforced
·Google-managed encryption keys on data at rest — both databases and file storage
·Customer-managed encryption keys (BYOK) available on Enterprise once we ship it (see roadmap below)

Identity & sessions

·Sign-in goes through a managed Google identity provider — your credentials never touch our database
·Identity tokens are cryptographically signed and verified server-side on every request
·Session cookies are HttpOnly + Secure + SameSite. JavaScript can't read them; cross-site requests can't replay them
·Authorised-domain allowlist on the identity provider — phishing pages can't proxy your login

Resilience

·Daily database backups with point-in-time recovery — 7 days on Pro, 30 days on Enterprise
·Secrets and credentials held in a hardware-backed key store. Rotation, IAM-controlled access, and audit logging on every read
·Container-level immutable deploys. No SSH-into-the-server patching; every release is a fresh build replacing the old one
·Strict Content-Security-Policy + X-Frame-Options + X-Content-Type-Options on every page

Privacy

Your data, your rules. Not training fodder.

We operate the portal. We don't own what's inside it. Beneficiary records, donor pipelines, MEAL surveys, staff payroll — the customer holds the data, and we treat it accordingly.

Data ownership: You own everything you upload. We process it to deliver the service — nothing else. Cancel and your full export is yours within 30 days.
No training, no resale: We do not sell, license, share, mine or otherwise monetise your data with third parties. We do not feed it into AI training pipelines. Period.
Right to delete: Per-record delete from the UI. Full account purge within 30 days of a written request. Backups age out within 30 days too.
Right to export: Full CSV / SQL dumps on demand for Team and above. Free tier exports come watermarked but contain the same fields.
DPA on file: Standard Data Processing Agreement covering GDPR Article 28 obligations available on request. EU Standard Contractual Clauses bundled in for non-EU transfers.
Beneficiary data: Beneficiary names, photos, GPS coordinates and identity documents are treated as Sensitive Personal Data. Per-field redaction controls in the Programs module for downstream sharing.

Sub-processors

Who else touches your data, and why.

Procurement compliance requires us to name every third party that touches customer data. If we add a new sub-processor, customers on Pro and Enterprise get 30 days' notice with the right to object.

Vendor	Purpose	Data type	Location
Google Cloud	Hosting, database, file storage, DNS, secrets	All customer data	Singapore · EU available
Google identity provider	Sign-in (Google + email)	Email, display name, sign-in timestamps	Global
Hostinger	Domain registrar	Domain ownership records only	EU (Lithuania)
Stripe	Subscription billing (Team / Pro / Enterprise)	Billing contact, email, payment instrument	USA · EU available

Stripe is enabled when paid plans launch. Until then, only Google services are sub-processors.

The honest part

What's on the roadmap, dated.

We're a young product. Pretending to hold certifications we don't would not survive your first intake call. Here is the real state.

Today

Foundational controls

· Google Cloud-native baseline
· Per-tenant DB isolation
· Encryption in transit + at rest
· DPA template on request
· Sub-processor list (above)

In progress

2026 H2

· MFA enrolment for all users
· Customer-facing audit log export
· GDPR data export + delete endpoints
· EU data residency
· Vendor security questionnaire kit

Roadmap

2027

· SOC 2 Type I
· SAML SSO (Enterprise)
· Customer-managed encryption keys (BYOK)
· ISO 27001 audit kickoff
· Public status page

Talk to us

Send your security questionnaire — we'll answer it.

INGO procurement teams: send your CAIQ, your VSA, your home-grown vendor security checklist. We respond within 5 business days under NDA and walk through any gap.

Responsible disclosure: found a vulnerability? Email security@empobase.com. We acknowledge within 48 hours and credit researchers in the changelog.

Email security team Request DPA