Trust & security

Your event data is yours.

Indonesian data residency, multi-tenant isolation by default, magic-link auth (no passwords stored), full data export at any time. Below: the specifics, the people we share infrastructure with, and how to tell us if you find something wrong.

Posture
  • Data residency

    All app data — Postgres, auth, file storage — lives in Singapore (ap-southeast-1). Cross-region replication does not exist; your event's data stays in-region.

  • Multi-tenant isolation

    Postgres Row-Level Security is on from day one. Every tenant-scoped table carries an org_id, and every read goes through a policy that filters by the authenticated session's org. Two orgs cannot see each other's data, full stop.

  • Authentication

    Magic-link sign-in only — we never store passwords, so password breaches are not a category of risk that applies. Sessions refresh on every request via @supabase/ssr.

  • Export

    You can export your org's data at any time (events, leads, invoices, bukti files, members) in CSV or JSON. No lock-in. Closing your account deletes the data within 30 days.

RLS, per surface

Who can read and write what.

Roles in Gelar: owner, producer, sales, finance (Phase 1+). RLS policies enforce the table below at the database layer — the app code is the second line of defence, not the first.

SurfaceRead / write rule
events / zones / boothsReadable to any member of the owning org; writable to roles owner + producer.
leads / booth_assignmentsReadable to any member of the owning event's org; writable to owner, producer, sales.
invoices / bukti_uploadsReadable to org members; verification flips writable to owner + future finance role only.
activity (audit log)Append-only via server actions. Readable to org members; no client-side writes.
users / user_profilesA user can read their own profile; org members can read each other's name/initials/email; everything else requires admin role.
Sub-processors

Who else touches your data.

These are the third-party services Gelar uses to run. We will email org owners 30 days before adding a new sub-processor.

  • Supabase

    ap-southeast-1 (Singapore)

    Postgres database, authentication, file storage, realtime

  • Vercel

    Global edge; primary in Singapore

    Hosting and edge runtime

  • Resend

    Global

    Transactional email (magic-link delivery)

Retention
  • Active event data — kept indefinitely while the org is active. Deleted within 30 days of org closure (you can request immediate deletion).
  • Audit log — retained indefinitely through M8 (Q4 2026). After M8 ships the retention policy, default becomes 24 months; org owners can override.
  • Bukti uploads — kept as long as the parent invoice exists. Deleted with the invoice.
  • Magic-link tokens — single-use, 1-hour expiry. Discarded after consumption.
Reporting

Tell us if something looks wrong.

If you've found a vulnerability or a data-exposure concern, email security@gelar.co. We acknowledge within 24 hours and respond with a triage assessment within 5 business days. Please don't post details publicly until we confirm a fix has shipped.