Security

Security is infrastructure, not a feature

Roukit handles bookings, payments, and supplier data across multiple tenants. Security is built into every layer of the architecture — from database isolation to payment processing to API design.

Multi-Tenant Data Isolation

Every tenant's data is isolated at the database level using PostgreSQL Row-Level Security (RLS) policies. Even if application code has a bug, one tenant's data is never accessible to another. RLS policies are enforced by the database engine itself, not by application logic.

Row-Level Security enforced at the PostgreSQL level
Per-tenant data isolation across all 66 database tables
Tenant context validated on every query
No shared data between tenant environments

Encryption

All data is encrypted both at rest and in transit. Database storage uses AES-256 encryption. All connections between services use TLS 1.2 or higher. API keys, payment credentials, and sensitive configuration are stored in environment-level secrets, never in code.

AES-256 encryption at rest for all stored data
TLS 1.2+ for all data in transit
HTTPS enforced across all endpoints
Secrets managed via environment variables, never committed to code

Authentication & Access Control

Authentication is handled by Supabase Auth with support for email/password, magic links, and OAuth providers. Sessions are managed with secure, HTTP-only tokens. Role-based access control separates admin, operator, and customer permissions.

Supabase Auth with secure session management
Magic link and OAuth authentication options
Role-based access control (RBAC) for all user types
HTTP-only, secure session cookies
Automatic session expiration and refresh

Payment Security

Roukit never stores credit card numbers or sensitive payment data. All payment processing is handled by Stripe and PayPal, both PCI DSS Level 1 certified. Payment tokens are used for recurring transactions. Webhook signatures are verified on every callback.

PCI DSS Level 1 compliance via Stripe and PayPal
No credit card data stored on Roukit servers
Tokenized payment processing
Webhook signature verification on all callbacks
Secure payment intent flow with server-side confirmation

Infrastructure Security

The platform runs on Vercel's edge network with automatic DDoS protection and global CDN distribution. Static assets are served from AWS S3 + CloudFront with signed URLs where needed. Database infrastructure is managed by Supabase with automated backups and point-in-time recovery.

Vercel edge network with built-in DDoS protection
AWS S3 + CloudFront CDN for media delivery
Automated database backups with point-in-time recovery
Infrastructure monitoring and alerting
Automatic SSL certificate management

API Security

All API endpoints validate input, sanitize data, and enforce rate limits. CORS policies restrict cross-origin requests. API routes use server-side authentication checks before processing any request. Structured error responses never leak internal details.

Input validation and sanitization on all endpoints
Rate limiting to prevent abuse
CORS policies restricting cross-origin access
Server-side authentication on all protected routes
Structured error responses without internal detail leakage

Compliance & data governance

Designed with regulatory requirements in mind from the start.

GDPR Ready

The platform is designed with GDPR principles in mind. User data can be exported and deleted on request. Consent is collected before data processing. Data minimization is practiced across all collection points.

Data Residency

Database infrastructure is hosted in regions that comply with data residency requirements. Enterprise customers can request specific data residency configurations.

Audit Logging

Administrative actions, authentication events, and data access patterns are logged for audit purposes. Logs are retained according to compliance requirements and are available for review.

Access Reviews

Internal access to production systems follows the principle of least privilege. Access is reviewed regularly and revoked when no longer needed.

Secure development practices

Security starts in the development process, not after deployment.

Secure development

Strict TypeScript across the entire codebase catches type-related vulnerabilities at compile time. Dependencies are pinned to exact versions and reviewed before adoption.

Dependency management

Automated vulnerability scanning on all dependencies. Security patches are applied within 48 hours of disclosure for critical vulnerabilities.

Code review

All code changes go through review before deployment. Security-sensitive changes (auth, payments, data access) receive additional scrutiny.

Environment separation

Development, staging, and production environments are fully separated. Production credentials are never used in development or testing.

Responsible disclosure

We take security vulnerabilities seriously.

If you believe you've found a security vulnerability in Roukit, we encourage you to report it responsibly. Please email security@roukit.com with details of the vulnerability.

When reporting, please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots or proof of concept

We commit to acknowledging reports within 48 hours and providing an initial assessment within 5 business days. We ask that you give us reasonable time to address the issue before any public disclosure.

Questions about security?

If you have specific security questions or need additional information for your compliance review, reach out to our team.

Contact Ussecurity@roukit.com