Trust & Security

Built to keep your data safe.

IT asset data is sensitive. Here is an honest overview of how Assetify protects it: no marketing fluff, no certifications we have not earned.

Two-factor authentication (MFA)

Users can enable TOTP-based MFA from their profile settings. It works with Google Authenticator, Authy, and any RFC 6238 app. Once enabled, every login requires a 6-digit code from the authenticator app.

  • 8 single-use backup codes generated on enrollment, downloadable as plain text
  • Trusted device option: skip MFA on the same device for up to 30 days
  • MFA state enforced in middleware on every request, not only at login
  • User-controlled: enable and disable from profile settings at any time

Access control

  • Role-based access control (RBAC) with custom roles per organisation
  • Granular permissions: read, create, update, delete per resource
  • Users without a role get no dashboard access
  • Passwords hashed with bcrypt (never stored in plain text)
  • Session tokens managed by Supabase Auth; invalidated on sign-out

Data protection

  • AES-256 encryption at rest
  • TLS 1.2+ encryption for all data in transit
  • Row Level Security (RLS) enforced at the database level: every query is organisation-scoped
  • Complete data isolation: one organisation cannot access another's data, even through internal APIs

Infrastructure

  • Hosted on Supabase (PostgreSQL) in the EU (Frankfurt, Germany)
  • Continuous backups with point-in-time recovery up to 7 days
  • Backup replicas stored in a separate geographic region
  • Managed infrastructure with automatic security patches

Audit & compliance

  • Immutable audit log: every create, update, and delete recorded with actor and timestamp
  • Before/after values stored for every change
  • Data hosted in the EU; designed with GDPR in mind
  • No customer data sold or shared with third parties

Responsible disclosure

If you discover a security vulnerability, please email security@getassetify.com. We respond to all valid reports within 2 business days and aim to patch critical issues within 48 hours. We do not pursue legal action against researchers acting in good faith.

Questions about security?

For security questions or to request our documentation, reach out directly.

security@getassetify.com