Security at FloodWatch

Encryption

All data is encrypted both at rest and in transit. Our database layer (Supabase/PostgreSQL) encrypts stored data using AES-256, and all connections are secured with TLS 1.2+ — including API calls, dashboard access, and webhook deliveries.

Authentication

We support multiple authentication methods to suit your organisation's needs:

• Email & password — with configurable password policies and account lockout
• Google OAuth — sign in with your Google Workspace account
• Microsoft OAuth — sign in with your Microsoft / Azure AD account
• SAML 2.0 SSO — connect your corporate identity provider (Azure AD, Okta, OneLogin, and more)
• TOTP MFA — time-based one-time password for an additional layer of security

Authorisation

FloodWatch implements defence-in-depth authorisation at both the application and database layers:

• Row Level Security (RLS) — enforced on all database tables, ensuring users can only access data belonging to their organisation
• Role-based access control — four roles (Owner, Admin, Member, Viewer) with granular permissions for team and data management

Audit Logging

Every security-relevant action is recorded in an append-only audit log. This includes all membership changes (invitations, role changes, removals), SSO configuration updates, and organisation settings modifications. Audit logs are immutable and available to organisation admins.

Compliance & Data Residency

FloodWatch infrastructure is hosted in the UK/EU region (AWS eu-west-2, London) via Supabase, keeping your data within UK and EU jurisdictions. We are building with GDPR principles in mind, including data minimisation, purpose limitation, and the right to erasure.