Security & Compliance

Overview

This page summarises how EfficiaFlow protects customer data in ProjoLink (web) and ProjoLink Time (iOS/Android).

Document hierarchy & precedence. This page is informational. If there is any inconsistency between documents, they will be interpreted in the following order of precedence:

1) Signed Order Form – controls commercial specifics (plan, users, price, term, SLA credits or variations).
2) Master Service Agreement (MSA) – governs the service relationship generally.
3) Data Processing Agreement (DPA) – for privacy/data-protection matters, the DPA prevails over the MSA.
4) Website materials – the Security page, Privacy Notice, Cookie Notice and Terms of Use are provided for transparency; they do not modify any signed agreement.

Note: Terms of Use apply to browsing the public website; they do not change customer contractual terms for the ProjoLink service.

Compliance Posture

  • We align our controls to ISO/IEC 27001:2022 and maintain a Statement of Applicability (available under NDA)

  • Our sub-processors publish independent security attestations (e.g., ISO 27001, SOC 2 Type II) and GDPR-ready DPAs.– SOC 2 Type II compliant; security docs and SOC 2 access via Supabase

  • GDPR is a legal framework (not a certificate). We meet GDPR duties via our DPA, UK IDTA/EU SCCs for international transfers, access controls, and documented data-subject-rights processes

About our Sub-Processors (Last updated: 9th October 2025)

Change log: 09 October 2025 — Added Resend (SMTP).

This section is the Authoritative Sub-processor Register for ProjoLink (per our MSA). We provide ≥30 days’ advance notice of any intended addition or material change via this page and email, with customer objection rights.

1) Primary processing and storage for ProjoLink is provisioned in the United Kingdom (London, AWS eu-west-2 via Supabase); where our CDN/edge provider (Vercel) accelerates delivery, caching is transient and controlled by our cache headers—pages/APIs that may include personal data are served with no-store and are not cached at the edge.

2) Where service-generated data or support operations involve processing outside the UK, international transfers are safeguarded using the UK IDTA/EU SCCs with our sub-processors. We provide ≥30 days’ advance notice of any material sub-processor change.

Sub-processor

Service role

Data processed

Region(s)

Transfer
Safeguard

SUPABASE
Static hosting/CDN, edge network, firewall/WAF
No PII in static; HTTP request metadata in provider logs (nopayload/body/PII by policy)
UK (London, AWS eu-west-2)
N/A (in-region)
N/A (no PII)
EU SCCs + UK Addendum (TRA/TIA on file)
Postgres DB, Auth, Storage (logos); Edge Functions (admin-only invite/resend/delete)
PII used by ProjoLink:  names, emails, IDs, allocations, timesheets, holiday entries; no  special-category data
VERCEL
Global CDN (static only)
SMTP delivery for invites & password reset emails
Email address only; short-lived invite/reset tokens (no personal data in token payload; security-sensitive secrets)
EU (Ireland, eu-west-1) sending; may process in US per DPA
RESEND
SUPABASE
Region: Global CDN (static only)
Service ROLE: Postgres DB, Auth, Storage (logos); Edge Functions (admin-only invite/resend/delete)
Data Processed: PII used by ProjoLink:  names, emails, IDs, allocations, timesheets, holiday entries; no  special-category data
Transfer Safeguard: N/A (in-region)
VERCEL
Region: UK (London, AWS eu-west-2)
Service ROLE: Static hosting/CDN, edge network, firewall/WAF
Data Processed: No PII in static; HTTP request metadata in provider logs (nopayload/body/PII by policy)
Transfer Safeguard: N/A (no PII)
RESEND
Region: EU (Ireland, eu-west-1) sending; may process in US per DPA
Service ROLE: SMTP delivery for invites & password reset emails
Data Processed: Email address only; short-lived invite/reset tokens (no personal data in token payload; security-sensitive secrets)
Transfer Safeguard: EU SCCs + UK Addendum (TRA/TIA on file)

About our Sub-processors’ Compliance

Our infrastructure partners hold independent security attestations and publish GDPR-ready DPAs

  • Vercel – SOC 2 Type II attestation; ISO 27001 certified; Trust Center access for reports and policies

  • Supabase (hosted on AWS eu-west-2) – SOC 2 Type II compliant; security docs and SOC 2 access via Supabase

  • AWS (underlying cloud for Supabase London) – ISO/IEC 27001:2022 certified including eu-west-2

  • Resend - SOC 2 Type II attestation; GDPR-ready DPA (SCCs + UK Addendum); EU sending region (Ireland, eu-west-1); Pen-Test Letter of Attestation available.

What ProjoLink Product Does (context & details)


ProjoLink runs a monthly loop — Forecast → Allocate → Work → Review—to control project hours and capacity across engineering teams. Forecasts freeze before allocation; actuals come from approved timesheets; variance and utilisation are tracked objectively.

Roles & Data Protection

  • Customer = Controller; EfficiaFlow = Processor

  • Transfers: Primary storage in the UK. If international transfers occur, we use UK IDTA/EU SCCs with our sub-processors

  • Data subjects & categories: Staff/contractors’ identification and contact details, time/attendance, allocations, holiday scheduling, project metadata, hours-based budgets; no special-category data intended

  • Data-subject rights: We support access, rectification, erasure, restriction, portability and objection within statutory timelines (intake via our published security/contact email)

Architecture & Hosting

  • Application delivery: Vercel provides global edge hosting, CDN & serverless runtime

  • Data platform: Supabase (Postgres, Auth, Object Storage) in London, UK, backed by AWS

  • Row-Level Security: RLS enforces strict tenant isolation at the database layer.

  • Shared responsibility: Physical security, facilities, network and hypervisor protections are handled by our providers; EfficiaFlow owns application-layer security, access control, RLS design, and operational processes

Network & Edge Security

  • Always-on DDoS mitigation at the edge

  • Web Application Firewall (WAF) with OWASP-aligned detections; requests can be allowed / denied / challenged by rule

  • Bot management & anomaly detection: Available and enabled per-customer requirement or when anomaly thresholds are met

  • IP & country controls: Allow/deny policies supported

  • Rate limiting: Available to slow abusive patterns

Encryption & Key Management

  • In transit: TLS 1.2/1.3.

  • At rest: Provider-managed encryption (e.g., AES-256 by the underlying platforms).

Identity & Access Management

  • Customer authentication: Supabase Auth

  • Password policy: Minimum 12 characters with uppercase, lowercase, number, and special character

  • EfficiaFlow staff: MFA enforced; least-privilege access; joiner-mover-leaver; periodic access reviews

Observability & Logs

  • Provider logs: Infrastructure/edge/runtime logs via Vercel and Supabase

  • Application-level audit trail: On our near-term roadmap (e.g., admin actions, permission changes, sensitive exports). Enterprise customers can request acceleration

  • Alerts: Threshold-based error/traffic alerts can be enabled and routed to our security inbox

Vulnerability Management & Testing

  • Patching cadence: Remediation prioritised by severity and exploitability; critical/high issues handled with urgency

  • Dependency hygiene: Automated advisories and periodic reviews; actions tracked

  • Penetration testing: Starting 2026, we are planning annual third-party testing and track remediation to closure. Executive summaries available under NDA

  • Dependency hygiene: Automated advisories and periodic reviews; actions tracked

Business Continuity, Backups & Disaster Recovery

  • Backups: Daily backups with current retention of 7 days

  • Targets: RPO ≤ 24h and RTO ≤ 12h; restores are tested

Incident Response

  • We operate an incident response process (detect → triage → contain → eradicate → recover → review). For Personal Data Breaches, we notify customers within 48 hours of confirmation, with ongoing updates as we learn more

Data Retention, Export, and Deletion

  • Export & deletion: At termination/expiry you have a 30-day export window. We then delete data from active systems and, within a reasonable period, from backups (subject to legal retention)

  • Incident classification: Severity definitions, response targets and any service credits are governed by your contract (MSA Schedule 2: SLA). The status page is an overview only - [Live Status]

Availability & Support

  • SLA: 99.5% monthly availability; service credits apply if below threshold, as defined in your Order Form & Master Service Agreement
    Support: Mon–Fri 09:00–17:00 UK via     contact@efficiaflow.com

Assurance Documents (Available on Request)

IS027001 Statement of Applicability

Architecture & Residency Overview

Vendor Management & Change Policy

Transfer Risk & Impact Assessment (Resend)

Incident Response Plan

Control Proofs

Information Security Policy

Backup & DR Runbook

Customer Responsibilities

  • Customers control who gets admin roles (e.g., who can export payroll), manage user lifecycle, provide accurate data, and ensure a lawful basis for processing as Controller

  • Responsible Disclosure: Report suspected vulnerabilities to contact@efficiaflow.com. We acknowledge within 3 business days and share status updates until resolved

Certifications

We don’t currently hold ISO/SOC certifications. Our roadmap targets ISO 27001 readiness during 2026 (subject to funding). Vendor attestations (Supabase, Vercel) are available on request

Contact

Products

ProjoLink
DEM - coming soon

Resources

IT & SupportSecurity
Tutorials - coming soon
Main Office - 124 City Road, London, EC1V 2NX, United Kingdom
© 2025 EfficiaFlow - All rights reserved | Registered in England & Wales (No.16161357)
ProjoLInk Time Mobile App Logo. Workforce and Resourcing Strategy app for engineering

Time (new)