Back to Home

Security

How Actras protects institutional data at every layer.

Last updated: February 2026

Infrastructure

Actras runs on Supabase, which is built on top of Amazon Web Services (AWS). All production infrastructure resides within SOC 2 Type II compliant data centers. Database servers are provisioned in isolated virtual private clouds (VPCs) with no direct public access.

  • PostgreSQL database with automated daily backups and point-in-time recovery
  • Edge Functions deployed on Deno Deploy with global distribution
  • Object storage for evidence files with per-object access control
  • Automatic failover and high-availability database replicas

Encryption

Data is encrypted both in transit and at rest, ensuring that sensitive information is protected at every stage.

  • In transit: All connections use TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on all endpoints.
  • At rest: Database storage uses AES-256 encryption. Evidence files in object storage are encrypted with server-side encryption (SSE).
  • Secrets management: API keys, tokens, and service credentials are stored in secure vault systems, never in source code.

Access Control & Tenant Isolation

Actras is a multi-tenant platform where each organization's data is strictly isolated. We enforce this through multiple layers:

  • Row-Level Security (RLS): Every database query is filtered at the database engine level, ensuring users can only access rows belonging to their organization.
  • Role-based authorization: Three roles (participant, reviewer, admin) each with specific permission boundaries enforced in both the API and database.
  • Storage policies: Evidence files are scoped per organization and per submission. Direct file access requires valid authentication and organization membership.
  • No cross-org queries: Database functions validate organization membership on every operation. There is no mechanism to query across organization boundaries.

Audit Logging

Every significant action within Actras is recorded in an immutable audit log, providing full traceability for compliance and governance purposes.

  • Submission creation, evidence uploads, and status changes
  • Review decisions (approve, reject, request resubmission) with reviewer identity
  • Administrative actions: user invitations, role changes, settings modifications
  • Data lifecycle events: retention cleanups, user anonymization
  • Audit log entries are append-only and cannot be modified or deleted by any user

Incident Response

We maintain an incident response process aligned with industry standards. In the event of a security incident affecting your institution's data:

  • Affected organizations are notified within 72 hours
  • A detailed incident report is published, including scope, impact, and remediation steps
  • Post-incident reviews are conducted to prevent recurrence

Related Policies

Privacy PolicyData Retention PolicyTerms of Service

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly to security@actras.io. We acknowledge reports within 48 hours and work to resolve confirmed vulnerabilities promptly.