Trust Center

Data security is the foundation, not a feature.

CoheraWork™ is a multi-tenant SaaS platform. Every client organisation's data is logically isolated at the database level — not at the application level.

Multi-tenant isolation

Layer	Mechanism	Test protocol
Database	Row Level Security on every table · org_id filter on every read and write	Cross-tenant query returns zero rows — verified each sprint
API	JWT validated on every request · org_id extracted from claim · injected into every query	Cross-org JWT against another org's data returns 403
File storage	Bucket-level RLS · path is /orgs/{org_id}/ · access only via signed URLs	Foreign signed URL returns 403
Realtime	Channel subscriptions scoped to org_id and participant_id	Cross-org subscription receives no events
Reports & certificates	Generated files stored under org_id · download URLs signed with 15-minute expiry	Expired URL returns 403

What we do not store

Raw payment card data
Stripe handles all card processing. CoheraWork never touches card numbers, CVVs or expiry dates.
Biometric data
We do not collect facial recognition, fingerprints, or any biometric identifiers.
Health or medical data
We collect no health information. Participant data is professional context only.
Location data
We do not track participant location or device location.
GDPR Article 9 special categories
Race, ethnic origin, political opinions, religious beliefs, sexual orientation — none collected.

Your GDPR rights

Right of access (Art. 15)
Self-service export from your settings; full personal data in JSON.
Right to rectification (Art. 16)
Profile fields editable in-app; immediate.
Right to erasure (Art. 17)
Response content deleted; scores anonymised to preserve cohort integrity; audit events retained as legally required. 30 days from request.
Right to data portability (Art. 20)
JSON export from dashboard; immediate self-service.
Right to object (Art. 21)
Reviewed by Data Protection Officer within 30 days.

Encryption & secrets

In transit: TLS 1.3 on every connection. HSTS enforced. No plaintext fallback.

At rest: AES-256 on database and file storage. All DNA documents and generated reports encrypted.

Secrets: API keys and credentials stored in vault — never in source, environment files, or CI configuration.

Passwords: Bcrypt-hashed; minimum length 8 with character class requirements; MFA available, required for admin roles when org policy enables it.

Sub-processors

Provider	Purpose	Region
Supabase Inc.	Database, auth, storage, edge functions	EU/US (per project)
Cloudflare Inc.	Edge runtime, CDN, DDoS protection	Global edge
Stripe Inc.	Payment processing	United States
Lovable AI Gateway	AI inference (DNA, scenarios, evaluation)	Global
Resend Inc.	Transactional email	United States

Questions? security@cohera.work · DPA available on request.