+ Trust
Trust & Security
Built privacy-first. Your data is yours.
Our commitment
We handle organisations' financial records, so privacy and security are foundational, not afterthoughts. We collect the minimum we need, isolate every customer's data, encrypt it, and never sell it. This page summarises the controls we run.
How we protect your data
- Encryption in transit - all traffic is served over TLS (HTTPS), with HSTS enforced.
- Encryption at rest - secrets (API keys, credentials) and backups are encrypted at rest.
- Tenant isolation - each workspace's data is isolated at the database layer with PostgreSQL row-level security, so one customer can never see another's.
- Least privilege - the application runs as a restricted, non-superuser database role; administrative access is separated and limited.
- Hardened infrastructure - default-deny firewall, no public database/cache exposure, key-only SSH, automatic security updates, and intrusion lockout.
- Application hardening - Content-Security-Policy and other security headers, rate limiting on sensitive endpoints, and automated dependency scanning.
Authentication
Sign-in uses Google Sign-In (SSO)- we never store your password, so there's no password for an attacker to steal. Multi-factor authentication is enabled on our administrative and provider accounts.
Backups & recovery
We take daily, encrypted backups of each workspace, kept on a rolling retention window, plus offsite snapshots for disaster recovery. Restores are tested periodically.
Data protection & the PDPA
We comply with Singapore's Personal Data Protection Act (PDPA). For personal data our customers process through our products, we act as a data intermediary under a Data Processing Agreement. You may request access to or correction of your personal data, and we will notify affected parties of any notifiable data breach as required by the PDPA.
Data Protection Officer: the Chief Executive Officer · privacy@inflect-iq.com
Data residency
Our application and customer data are hosted in Singapore. Where any personal data is transferred outside Singapore (for example, to a sub-processor), we apply the safeguards the PDPA requires.
Sub-processors
We rely on a small set of vetted providers, strictly to operate the service:
- Hetzner - cloud hosting / infrastructure (Singapore region).
- Google - sign-in (OAuth) and AI text extraction.
- Resend - transactional email delivery.
- Cloudflare - content delivery and edge protection (where enabled).
Certifications
We are working towards the CSA Cyber Essentials mark, under Singapore's Cyber Security Agency of Singapore (CSA) SG Cyber Safe programme. Our security and data-protection policies are documented and reviewed at least annually.
Report a security issue
Found something? Please email security@inflect-iq.com (or contact@inflect-iq.com). We appreciate responsible disclosure and will respond promptly.
The PDPA seal above is a self-declaration of our compliance posture, not an official PDPC certification.