Security
Where data lives, how it is protected and which sub-processors handle it.
- Region
- Stockholm · arn1
- Data location
- EU-only
- Encryption at rest
- AES-256
- Encryption in transit
- TLS 1.3
- Identity
- BankID · SAML SSO
- Backup
- Daily · 30-day retention
- Incident response
- Reported ≤ 72 h
- Sub-processor notice
- At least 30 days in advance
Data location
Cupa runs in the Stockholm region (Supabase EU + Fly.io arn1). All customer data is stored within the EU/EEA. No transfers to third countries.
Encryption
Data at rest is encrypted with AES-256 at the database layer and in object storage. All traffic between client and server is over TLS 1.3 with strict HSTS.
Authentication & authorization
Sign-in via BankID or SAML SSO. Tenant isolation via RLS at the database level. Roles and permissions configured per user. JWT-based session handling; host-only cookies on app.cupa.se.
Sub-processors
Cupa engages sub-processors to deliver the service — including Supabase, Vercel, Fly.io and Sinch. A current, complete list with data locations, roles and DPA links is at /legal/sub-processors. We give you at least 30 days' notice before engaging new sub-processors.
Incident response
Personal data breaches are reported to the customer without undue delay, and in any event within 72 hours of detection. Status and post-mortem are shared in the customer's admin interface.
Backup & recovery
Full daily backups with 30-day retention. Point-in-time recovery at the database layer. Recovery exercises are run quarterly.
Security contact
Security questions and responsible disclosure: security@cupa.se