+ Trust

Trust & Security

Built privacy-first. Your data is yours.

PERSONAL DATA PROTECTION ACTSINGAPOREPDPACOMPLIANT

Our commitment

We handle organisations' financial records, so privacy and security are foundational, not afterthoughts. We collect the minimum we need, isolate every customer's data, encrypt it, and never sell it. This page summarises the controls we run.

How we protect your data

  • Encryption in transit - all traffic is served over TLS (HTTPS), with HSTS enforced.
  • Encryption at rest - secrets (API keys, credentials) and backups are encrypted at rest.
  • Tenant isolation - each workspace's data is isolated at the database layer with PostgreSQL row-level security, so one customer can never see another's.
  • Least privilege - the application runs as a restricted, non-superuser database role; administrative access is separated and limited.
  • Hardened infrastructure - default-deny firewall, no public database/cache exposure, key-only SSH, automatic security updates, and intrusion lockout.
  • Application hardening - Content-Security-Policy and other security headers, rate limiting on sensitive endpoints, and automated dependency scanning.

Authentication

Sign-in uses Google Sign-In (SSO)- we never store your password, so there's no password for an attacker to steal. Multi-factor authentication is enabled on our administrative and provider accounts.

Backups & recovery

We take daily, encrypted backups of each workspace, kept on a rolling retention window, plus offsite snapshots for disaster recovery. Restores are tested periodically.

Data protection & the PDPA

We comply with Singapore's Personal Data Protection Act (PDPA). For personal data our customers process through our products, we act as a data intermediary under a Data Processing Agreement. You may request access to or correction of your personal data, and we will notify affected parties of any notifiable data breach as required by the PDPA.

Data Protection Officer: the Chief Executive Officer · privacy@inflect-iq.com

Data residency

Our application and customer data are hosted in Singapore. Where any personal data is transferred outside Singapore (for example, to a sub-processor), we apply the safeguards the PDPA requires.

Sub-processors

We rely on a small set of vetted providers, strictly to operate the service:

  • Hetzner - cloud hosting / infrastructure (Singapore region).
  • Google - sign-in (OAuth) and AI text extraction.
  • Resend - transactional email delivery.
  • Cloudflare - content delivery and edge protection (where enabled).

Certifications

We are working towards the CSA Cyber Essentials mark, under Singapore's Cyber Security Agency of Singapore (CSA) SG Cyber Safe programme. Our security and data-protection policies are documented and reviewed at least annually.

Report a security issue

Found something? Please email security@inflect-iq.com (or contact@inflect-iq.com). We appreciate responsible disclosure and will respond promptly.

The PDPA seal above is a self-declaration of our compliance posture, not an official PDPC certification.