Security

Last updated: 17 July 2026

Hosting and data residency

All customer data is stored in AWS's London region (eu-west-2) on Supabase infrastructure that complies with ISO 27001 and SOC 2. The United Kingdom holds an EU adequacy decision, so personal data belonging to EU customers is lawfully processed there under GDPR. Our analytics data is processed in the EU (Frankfurt).

Encryption

All traffic between your devices and Fixray is encrypted in transit with TLS. Data — including photos, videos, and voice notes — is encrypted at rest on our storage infrastructure using AES-256.

Access control

Fixray is multi-tenant by design: every database query is constrained by row-level security policies so one organisation can never read another's data. Within your organisation, role-based permissions control what each person can see and do, and multi-factor authentication is available for your team's accounts.

Backups

Databases are backed up automatically every day, so your maintenance history, photos, and audit trail can be recovered if something goes wrong.

Subprocessors

We use a small number of vetted service providers to run Fixray. Each processes data only on our instructions:

ProviderPurposeLocation
Supabase (on AWS)Database, authentication, file storage, and server functionsLondon, United Kingdom (AWS eu-west-2)
CloudflareHosting, content delivery, DNS, and bot protectionGlobal edge network (EU/UK entry points)
StripePayment processing and billingEU / United States
ResendTransactional email (invites, notifications, alerts)United States
OpenRouter / Google (Gemini)AI transcription and suggestion featuresUnited States / EU
PostHogProduct analyticsFrankfurt, Germany (EU)
HubSpotCustomer relationship management and support inboxEU / United States

Data processing agreement

A standard data processing agreement (DPA) covering our GDPR obligations is available on request — email hello@fixray.app.

Reporting a vulnerability

If you believe you've found a security issue in Fixray, please email hello@fixray.app with the details. We investigate every report and will keep you informed of the outcome. Please don't test against production systems or access data that isn't yours while doing so.