Security Statement
Last Updated: May 29, 2026
1. Infrastructure Security
QueueDesk is hosted on Vercel's secure, globally distributed serverless hosting infrastructure, with data nodes housed inside enterprise-grade Supabase Singapore data centers. Physical access controls, climate logging, and power redundancies are handled directly by our hosting partners under SOC 2 Type II compliance.
2. Data Isolation & Subdomain Routing
We enforce strict logical separation between tenant organizations. Every database query executed by our Drizzle ORM includes an explicit, validated `org_id` scoped to the current user's session. Subdomains are routed and isolated dynamically, and our Supabase backend utilizes Postgres Row-Level Security (RLS) as an additional failsafe against cross-tenant data leaks.
3. Encryption & Communications
All network communication with QueueDesk is encrypted in transit using Transport Layer Security (TLS 1.3). Database snapshots, file attachments stored in Supabase Storage, and configuration parameters are encrypted at rest using AES-256 standards.
4. Authentication & RBAC
We leverage Better Auth for organization and magicLink session management. Organization members are bound by Role-Based Access Control (RBAC) rules. We enforce separate views and route guards so employees can only access the employee portal (`/portal`), while agents, administrators, and owners are partitioned into their respective dashboard contexts.
5. Inbound/Outbound Email Pipelines
Our email ingestion pipeline relies on AWS SES sending logs straight to secure S3 buckets before triggering webhooks via SNS. All outbound lifecycle notifications and replies are cryptographically signed using DKIM to prevent spoofing and ensure message integrity.