Security Questionnaire

Yes. All data stored in ChemCapital is encrypted at rest using AES-256 via AWS (Supabase / AWS eu-west-2). Encryption is managed at the database and storage layer.

Yes. All connections to ChemCapital use TLS 1.2 or higher. Unencrypted HTTP is redirected to HTTPS at the edge.

Encryption key management is handled by AWS KMS via Supabase. Keys are not stored alongside application data.

Yes. ChemCapital enforces RBAC at the application level (OWNER, ADMIN, MEMBER, VIEWER roles). All data access is scoped by company identifier (companyId) at the database query level.

Yes. MFA is available for all user accounts. Enforcement options for enterprise tenants are available via admin settings.

Yes. SSO is available via SAML 2.0 and OIDC for enterprise tenants, powered by Supabase Auth. On sign-in, users enter their company domain and are redirected to your configured identity provider (IdP). Supported IdPs include Okta, Azure AD / Entra ID, Google Workspace, and any SAML 2.0-compliant IdP. Contact us to configure SSO for your domain.

Administrative actions within ChemCapital are recorded in the audit log. Platform-level (infrastructure) privileged access is managed via AWS IAM and Supabase access controls.

Yes. All data-change events are recorded in an audit log (AuditEvent) with user identity, timestamp (UTC), action type, and before/after values where applicable.

Yes. Every regulated write event records a SHA-256 payload digest and a chain digest (SHA-256 over payload + previous chain digest) using a PostgreSQL advisory lock to prevent concurrent writes breaking the chain. The audit viewer verifies chain integrity on every page load and flags broken links. All events display UTC timestamps per 21 CFR Part 11 and ALCOA+ requirements. Audit logs are exportable as JSON or CSV with a tamper-evident digest header.

Yes. Audit log export is available as JSON (all events) or CSV (up to 5,000 events) via the Regulated Readiness → Audit Log page and the export API. Each export includes an X-Export-Digest header for verification. Date-range and action-type filtering are supported.

Yes. Configurable retention policies and legal hold are live under Enterprise Settings → Compliance. Retention periods default to 7 years for regulated records (aligned with GxP minimum). Records under legal hold cannot be deleted until the hold is explicitly released by an authorised administrator. A scheduled retention engine enforces automatic purging of records past their retention date.

We apply dependency updates and security patches on an ongoing basis. A formal vulnerability management programme with scheduled scanning and remediation SLAs is on our Phase 1 roadmap.

Annual penetration testing with a remediation report is on our 2026 roadmap. We have not yet completed a formal external penetration test.

We accept responsible disclosure reports via security@chemcapital.com. A formal bug bounty programme is under consideration.

Yes. Supabase performs automated database backups with point-in-time recovery. Backups are stored in AWS eu-west-2.

We target a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for production data. These targets are based on our infrastructure architecture and have not yet been formally tested via disaster recovery exercises.

Formal DR testing exercises are on our 2026 roadmap. Current DR capability relies on Supabase automated backup and restore procedures.

Yes. Our sub-processor list is publicly available at chemcapital.com/trust#sub-processors. All sub-processors are bound by data processing agreements.

Yes. Sub-processors are reviewed for security posture, DPA compliance, and regional data handling requirements before onboarding.

We maintain a change log for our sub-processor list. Enterprise customers can request advance notification of material sub-processor changes.

Yes. ChemCapital maintains an incident response procedure covering detection, triage, containment, investigation, notification, and remediation.

We commit to notifying affected customers within 72 hours of confirming a personal data breach, in line with UK GDPR Article 33 and EU GDPR obligations.

Security incidents can be reported to security@chemcapital.com at any time. A 24/7 on-call security rotation is on our roadmap as we scale.

All employees and contractors with access to production systems are subject to background verification checks appropriate to their role.

Security awareness training is provided to all team members on onboarding and updated annually.