Overview
This page describes the security and privacy measures built into ArrivHQ. It covers how your data is encrypted, isolated, authenticated, and audited.
Data Encryption
| Layer | Method |
|---|---|
| In transit | TLS 1.2+ on all connections (web app, API, database, storage) |
| At rest | AES-256 encryption managed by Supabase (PostgreSQL) and cloud storage providers |
All communication between your browser and ArrivHQ is encrypted over HTTPS. Database storage and file storage are encrypted at rest by the underlying infrastructure.
Tenant Isolation
ArrivHQ is a multi-tenant platform. Every data row in the database includes a tenant_id column that ties it to a specific organization. Isolation is enforced at two layers:
| Layer | Mechanism |
|---|---|
| Database | Row-Level Security (RLS) policies filter every query by the tenant_id embedded in your JWT |
| API | Service-role queries manually filter by the authenticated user's tenant_id |
You cannot query, view, or modify data belonging to another tenant. The tenant_id is stamped into your account metadata at signup and carried in every session token.
Authentication
ArrivHQ uses Supabase Auth with email and password credentials. Sessions are managed with cookie-based tokens in the web app and Bearer tokens for API calls.
| Mechanism | Details |
|---|---|
| Password storage | Hashed by Supabase Auth (bcrypt) |
| Session tokens | JWT-based, refreshed automatically by the client |
| Web sessions | HTTP-only cookies via @supabase/ssr |
| API authentication | Bearer token validated on every request |
The web app middleware validates and refreshes your session on each page load. Unauthenticated users are redirected to the login page.
Multi-Factor Authentication (MFA)
ArrivHQ supports TOTP-based multi-factor authentication. You can enroll using any standard authenticator app such as Google Authenticator, Authy, or 1Password.
| Detail | Value |
|---|---|
| Method | Time-based One-Time Password (TOTP) |
| Enrollment | Optional for all users, available in Settings > Security |
| Requirement | Required for superadmin access to the operations panel |
| Assurance level | AAL2 (verified via JWT aal claim) |
When MFA is enabled, you are prompted for a verification code after entering your password.
Payment Security
ArrivHQ uses Stripe for all payment processing. Your payment details are handled entirely by Stripe and never touch ArrivHQ servers.
| Detail | Value |
|---|---|
| Payment processor | Stripe |
| Card storage | ArrivHQ does not store credit card numbers, CVVs, or expiration dates |
| PCI compliance | Handled by Stripe (PCI DSS Level 1 certified) |
| Billing entity | BAU ENTERPRISES LLC |
Audit Logging
Sensitive actions are recorded in an audit log for accountability and troubleshooting.
| What is logged | Details |
|---|---|
| Logged actions | MFA enrollment/unenrollment, team changes, tenant operations, billing events |
| Log contents | Action type, user ID, tenant ID, timestamp, metadata |
| Access | Audit logs are accessible to superadmins through the operations panel |
Error Logging
API errors are captured in a dedicated error log table for monitoring and debugging.
| Detail | Value |
|---|---|
| Logged data | HTTP method, path, status code, sanitized request body, tenant/user context |
| Sensitive data | Request bodies are sanitized to remove passwords and tokens before logging |
| Alerting | 5xx server errors trigger real-time notifications to the operations team via Telegram |
File Storage Security
Uploaded files are stored in Supabase Storage with the following protections:
| Measure | Details |
|---|---|
| Access control | Files are accessed via signed URLs that expire after 24 hours |
| Tenant isolation | File paths are namespaced by tenant ID |
| Encryption | At-rest encryption provided by the storage infrastructure |
Cookies
ArrivHQ uses cookies for session management. No third-party advertising or tracking cookies are used.
| Cookie purpose | Details |
|---|---|
| Session | HTTP-only cookies store your encrypted session token |
| Scope | Cookies are scoped to the arrivhq.com domain |
Data Retention
Your data is retained for as long as your account is active. If you delete your organization, all associated data (properties, reservations, expenses, files, team memberships) is permanently removed via cascading deletes across all related database tables.