FAQ Library
Security & data
Encryption, GDPR, data residency and your responsibilities as a customer.
- Is my data encrypted at rest?Yes. All customer data is encrypted at rest using AES-256 by Supabase Postgres and Cloudflare R2. BYOK keys use additional envelope encryption.
- Is data encrypted in transit?Yes. Every connection uses TLS 1.2 or higher. HSTS is enabled on the canonical domain and on every customer custom domain.
- Where is my data stored?Primary storage is in the European Union (Frankfurt and Stockholm). No customer data is replicated outside the EU without explicit consent.
- Is Blanca's Builder GDPR compliant?Yes. Blanca's IT Professional SL acts as data processor for customer data and complies with the EU GDPR. See /trust/gdpr for the full statement.
- Is a Data Processing Agreement available?Yes. A DPA is auto-signed when you accept the Terms. Enterprise customers can request a counter-signed PDF.
- Where is the list of subprocessors?/trust/data-processing lists every subprocessor we use, their role and the data type they process. Changes are announced 30 days in advance.
- How are passwords stored?Passwords are hashed by Supabase Auth using bcrypt with a per-user salt. Blanca's Builder never sees plaintext passwords.
- How do I exercise my right to erasure?Settings, Account, Delete account starts the process. You can also email privacy@blancas-it.com for a manual request. We confirm completion within 30 days.
- How do I exercise my right to data portability?Settings, Account, Export data produces a portable ZIP with your data in open formats (JSON, CSV, MD).
- Are penetration tests performed?Yes. Annual third-party penetration tests cover the application and infrastructure. Summaries are available to Enterprise customers on request.
- How do I report a security vulnerability?Email security@blancas-it.com with details. See /trust/vulnerability-disclosure for the policy and safe-harbour wording.
- What is the incident response process?We follow a documented runbook with severity tiers, customer notification within 72 hours and a public post-mortem for SEV-1 incidents. See /trust/incidents.
- Are audit logs available to customers?Yes. Settings, Security, Audit log shows all security-relevant events for your workspace. Enterprise customers can stream the log via webhook.
- Is single sign-on (SSO) supported?Yes, on Enterprise plans. SAML 2.0 and OIDC are supported. SCIM provisioning is on the roadmap.
- Which user roles are available?Owner, Admin, Member and Reviewer. Roles are stored in a separate user_roles table and checked via a security-definer function to prevent privilege-escalation bugs.
- Can I restrict access to a workspace by IP?Yes, on Enterprise plans. Settings, Security, IP allowlist. Sign-in attempts from outside the list are blocked.
- Are API rate limits in place?Yes. Every endpoint has per-user and per-IP limits to prevent abuse. Limits are documented in the API reference.
- Do logs contain personal data?Logs are minimised. Request paths and timestamps are recorded; bodies and headers are not. Logs are retained for 30 days.
- Is my data used to train AI models?No. Customer data is never used to train Managed AI models or shared with third parties for training. See the AI Policy for detail.
- What is the shared responsibility model?Blanca's Builder secures the platform; you secure your account, content, secrets and end-users. The Trust Center pages spell this out for every domain.