This page explains how YachtSync protects your data. We don’t hide behind buzzwords. If we don’t do something, we say so. If we’re working towards something, we say that too.
If you spot a security issue or have a question we haven’t answered, email security@yachtsync.uk.
Summary of Key Points
The honest TL;DR.
Encryption. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are stored as salted bcrypt hashes — we cannot read your password.
Access control. Row-level security at the database layer means each user can only access their own records — the App is just one of several layers that enforce this.
Where your data lives. Your certificates and account data are hosted in the European Union (Dublin, Ireland) by Supabase, on AWS infrastructure. AI scanning is processed by Anthropic in the United States under standard contractual clauses.
What we’re not. We’re not yet SOC 2 certified. We don’t run a paid bug bounty programme. We haven’t commissioned an external penetration test. We tell you this so you can decide for yourself whether the controls we describe below are enough for your situation.
Table of Contents
1. Encryption
In transit
All communication between the YachtSync App, our website, and our backend is protected by TLS 1.2 or higher. Connections that don’t meet this standard are rejected.
At rest
All data stored in our databases and file storage is encrypted at rest using AES-256. This is handled at the infrastructure layer by our hosting partner Supabase, on top of AWS’s native encryption.
Passwords
We never store your password in plaintext. We use Supabase Auth, which stores passwords as salted bcrypt hashes. Even our staff cannot recover your password — if you forget it, the only path forward is a reset.
What this means in plain English
If someone managed to intercept traffic between your phone and our servers, they would see encrypted data. If someone managed to obtain a backup of our database without permission, the data inside it would also be encrypted.
What encryption does NOT mean here
To be clear: this is not end-to-end encrypted. Supabase, our infrastructure provider, has access to the encryption keys for your data, because they need to serve it to you. If you’re looking for true zero-knowledge encryption (where even the provider cannot read your data), YachtSync does not currently offer that.
2. Access control
Row-Level Security (RLS)
Our database uses row-level security policies that enforce user isolation at the database layer. This means even if every other layer of the App failed, the database itself would refuse to return one user’s data to another user.
Authentication
- Email verification required before account activation
- Password reset requires access to your email address
- Session tokens expire and are rotated on a regular schedule
Two-factor authentication
2FA is not yet available in the App. It’s on our roadmap (see Section 9).
Administrative access
Only authorised YachtSync personnel can access administrative systems, and only when necessary for support, security or maintenance. The admin role is enforced both in the App and at the database level via RLS.
Audit logging
Significant account actions (uploads, deletions, profile changes, login events) are recorded in an audit log so we can investigate if something looks suspicious.
3. Where your data lives
| Data | Location | Provider |
|---|---|---|
| User accounts and certificate metadata | EU — Dublin, Ireland | Supabase (on AWS) |
| Certificate files (PDFs) | EU — Dublin, Ireland | Supabase Storage (on AWS S3) |
| AI document processing | United States | Anthropic (Claude API) |
| Push notification delivery | US / Ireland | Apple APNs / Google FCM / Expo |
| This website | Global CDN | Vercel |
For data transfers outside the UK and EU (specifically to Anthropic and Vercel in the US), we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses as the legal mechanism. These are the safeguards approved by the UK Information Commissioner’s Office.
4. What we don’t store
Equally important is what we don’t collect.
- No payment data. The App is currently free. We don’t store credit cards, bank accounts or billing addresses. If we add paid tiers, billing will be handled by Apple and Google — we won’t see your card details.
- No device location. We don’t request or use GPS, location services or geofencing.
- No contact list access. We don’t read your phone’s address book.
- No browsing history. We don’t track what other apps or websites you use.
- No advertising data. We don’t use any advertising SDKs and we don’t share data with ad networks.
- No biometrics. Face ID and Touch ID, if you use them to unlock the App, are handled by your device. We never see the biometric data.
5. Our security vendors
We don’t reinvent the wheel. We rely on infrastructure providers with strong security track records. You inherit much of their compliance through us.
| Provider | Role | Independent certifications |
|---|---|---|
| Supabase | Database, file storage, authentication | SOC 2 Type 2, HIPAA-eligible |
| AWS (underlying Supabase) | Cloud infrastructure | SOC 1/2/3, ISO 27001, PCI-DSS, FedRAMP |
| Anthropic | AI document scanning | SOC 2 Type 2, ISO 27001 |
| Apple | App Store distribution, APNs | SOC 2 Type 2, ISO 27001 |
| Vercel | Website hosting | SOC 2 Type 2, ISO 27001 |
Certification status of these providers can change — we recommend checking their security pages for the most up-to-date information.
6. AI processing
AI scanning is one of YachtSync’s core features and it has its own dedicated transparency page covering exactly what data is sent, what isn’t, what Anthropic does with it, and how you can opt out.
7. If something goes wrong
If we ever discover a security incident affecting your personal data, we will:
- Notify the UK Information Commissioner’s Office (ICO) within 72 hours, as required by UK GDPR
- Notify you directly without undue delay if there is likely to be a high risk to your rights or freedoms
- Tell you what happened, what data was affected, what we’re doing about it, and what you should do
We will not minimise, cover up or delay disclosure. A security incident is bad enough on its own — mishandling the response makes it worse.
8. Responsible disclosure
If you’re a security researcher, customer or member of the public who has found a vulnerability in YachtSync, please report it to security@yachtsync.uk.
We commit to:
- Acknowledge your report within 3 working days
- Investigate and respond with a fix timeline
- Credit you (if you wish) once the issue is resolved
- Not pursue legal action against good-faith researchers acting within the spirit of these guidelines
Please:
- Don’t access, modify or destroy other users’ data
- Don’t perform denial-of-service testing
- Give us reasonable time to fix issues before public disclosure
We don’t currently run a paid bug bounty programme, but we genuinely appreciate disclosures and will publicly thank researchers who help.
9. What we’re working on
An honest list of security improvements on our roadmap. We don’t commit to dates — we commit to doing them properly.
- Two-factor authentication — for account login
- External penetration test — we plan to commission an independent test once we reach a meaningful user base
- SOC 2 Type 1, then Type 2 — planned alongside the launch of paid B2B tiers, when external customers will require it
- Public audit log access — let users view their own account activity history in-app
- Account-level encryption keys — investigating whether per-user encryption keys are practical without harming the AI scanning feature
If you’d like to know our progress on any of these, ask: security@yachtsync.uk.
10. Your role in security
The most secure system in the world can be undone by an account takeover. A few things you can do that materially improve your security:
- Use a strong, unique password for YachtSync (a password manager makes this trivial)
- Don’t share your login with crew, captains or anyone else — if they need your certs, use the share feature
- Lock your phone with a PIN, passcode, Face ID or Touch ID
- Sign out on devices you don’t personally own
- If your phone is lost or stolen, change your password immediately
- Be wary of phishing — we will never ask you for your password
11. Contact
Security questions, concerns, or vulnerability reports:
Email: security@yachtsync.uk
General contact: legal@yachtsync.uk
Post:
YachtSync Ltd
66 Paul Street
London EC2A 4NA
United Kingdom