AES-256 on database fields, file uploads (logos, photos, contract templates), and backups.
Trust
Data security, in detail.
Where your data lives, how it's encrypted, what happens if something goes wrong. The technical companion to /security.
Singaporeap-southeast-1 region
AES-256Encryption at rest
6 hrBackup cadence
30 dayBackup retention
Encryption
Three layers, applied uniformly to everything we store.
TLS 1.3 for every connection, including internal service-to-service traffic.
Traccar passwords, Stripe tokens, OAuth refresh tokens stored in Supabase Vault with a separate key.
Where it lives
Singapore-first, by design
Primary database and file storage in the Singapore (ap-southeast-1) region of Supabase. Never replicated outside Singapore for live access.
Backups replicated to a secondary region (ap-southeast-2, Sydney) for disaster recovery only. Never accessed for normal operations. Same AES-256 encryption with a different key.
Backups & recovery
Every 6 hours. Point-in-time recovery within the last 7 days.
30 days full retention. Backups encrypted with a separate key from the live database.
Replicated to a second region for disaster recovery. RPO 6 hours, RTO 4 hours.
Backups test-restored monthly to verify recovery integrity.
Data deletion
Three flavours, always your call.
One click from Settings. Soft-deleted immediately (no longer accessible), hard-deleted from database within 30 days.
For data subject requests from your customers. Self-service from your dashboard.
Backups containing deleted data age out within 30 days. Email privacy@rundo.app for expedited hard-delete.
Ready to run on autopilot?
Drop your email, we'll send your invite as a slot opens.