Security overview
How we handle authentication, data, and the rest of the boring stuff your IT team rightly cares about. Written for the recycling portal at portal.awbadelaide.com.au. Last reviewed May 2026.
Where the portal runs
The application is hosted on Vercel with functions pinned to the Sydney (syd1) region. The database, file storage, and authentication services are provided by Supabase, hosted in Asia Pacific (ap-southeast-2). Both providers are SOC 2 Type 2 certified.
All client data is stored within Australia. We do not export personally identifiable information to overseas processors as part of normal operation.
Transport and storage encryption
- All connections are TLS 1.2+ (Vercel-issued certificate, HSTS enforced with a two-year max-age).
- Database storage is encrypted at rest with AES-256.
- Object storage (pickup photos) is encrypted at rest. Access is gated by short-lived signed URLs; no photo is ever served from a public URL.
- Plain HTTP requests are upgraded to HTTPS via
upgrade-insecure-requestsin our Content Security Policy.
Authentication
Users sign in with email + password or a one-time email magic link, both backed by Supabase Auth. Passwords are hashed with bcrypt. Sessions are managed via short-lived JWTs paired with refresh tokens; tokens are stored in HTTP-only cookies (inaccessible to JavaScript).
New users are invited by an AWB admin — there is no public sign-up form. Invitation emails are sent from a domain we control.
Authorization
Access control is enforced at the database level via PostgreSQL Row-Level Security. Each user is assigned exactly one of four roles:
- Client viewer — read-only access to the sites they are explicitly assigned.
- Client admin — manages other users within their own organisation; sees all sites for that organisation.
- AWB driver — can submit pickup records for sites they are explicitly assigned.
- AWB admin — full operational access for AWB staff.
A client’s dashboard never returns data belonging to a different client. This is enforced in the database itself, not in application code — even a bug in the front-end cannot leak data across organisation boundaries.
Audit trail
Every privileged action — pickup submissions, sales records, user invitations, password resets, report downloads, sign-ins, sign-outs — is recorded in an append-only audit log. The log is admin-readable and cannot be modified or deleted, including by AWB admins. Pickup records themselves are protected by a database-level immutability trigger: once submitted, they cannot be edited or deleted; corrections are recorded as new entries that link back to the original.
Browser-level hardening
The portal sets the following HTTP security headers on every response:
Content-Security-Policyrestricting script, style, image, font, frame, and network sources.Strict-Transport-Securityforcing HTTPS for two years.X-Frame-Options: DENY+ CSPframe-ancestors ‘none’preventing clickjacking.X-Content-Type-Options: nosniffpreventing MIME-type confusion attacks.Referrer-Policystrict-origin-when-cross-origin.Permissions-Policydefaulting browser APIs to denied, with explicit same-origin allowances for camera and geolocation (used by the driver app for pickup photos and GPS).
Backups and continuity
Database backups are automated daily by Supabase with at least 7 days of retention; point-in-time recovery is available on request. Vercel deployments are immutable and instantly reversible. Configuration (including database schema and policies) is tracked in version control.
Subprocessors
The portal relies on the following third-party services:
- Vercel — application hosting, edge network, TLS termination. Security overview · DPA
- Supabase — managed PostgreSQL, file storage, authentication. Security overview · DPA
Reporting a security issue
If you believe you have found a security vulnerability, please email security@awbadelaide.com.au. We aim to acknowledge reports within two business days.
For IT and procurement teams
AWB Adelaide Pty Ltd is a small Australian-owned business. We are not currently SOC 2 or ISO 27001 certified ourselves, but our underlying providers (Vercel, Supabase) are. We are happy to complete vendor security questionnaires, sign mutual NDAs, or provide a customised data-processing addendum for client engagements.
For procurement discussions, contact hello@awbadelaide.com.au.
This page is informational. Specific commitments to a client are made in the engagement contract signed with that client. For authentication or sign-in help, use /login.