Security

Where your productions live

The short version an ops team needs before putting a client event in a new tool. Questions beyond this page: ben@producedbyben.co.uk.

Data location

Application data lives in a managed Postgres database on Supabase in the EU (eu-west-1, Ireland). Uploaded media lives in Supabase Storage in the same region. The application itself runs on Vercel.

Tenant isolation

Every production-scoped table is protected by Postgres row-level security: a signed-in user can only read or write rows for productions they own, are a member of, or are linked crew on. The user directory is scoped the same way: you can only see people you share a production with. Public call-sheet pages authenticate by unguessable token, are scoped to a single day or crew member, and are revocable at any time.

Encryption

TLS everywhere in transit (HSTS enabled). Storage and database encrypted at rest by the platform. Bring-your-own AI keys are encrypted with AES-256-GCM before they touch the database and are only ever decrypted server-side; they are never sent to the browser. Card details never touch our servers: payment runs entirely on Stripe.

Subprocessors

  • Supabase (EU / Ireland): database, auth, file storage
  • Vercel (US/global edge): application hosting and analytics
  • Stripe (US/EU): payments and invoicing
  • Anthropic, Google, OpenAI (US): AI features only, and only the production text needed for the request; media files are not sent to AI providers
  • Open-Meteo (EU): weather on call sheets, location coordinates only

Access & accounts

Passwords are handled by Supabase Auth (bcrypt), with self-serve reset. Deleting your account removes your profile, your uploaded files and every production only you own; shared productions transfer to a remaining member so a team never loses work.

Your data, out

Shot lists export to CSV and calendars to ICS today; a full per-production export bundle is on the near-term roadmap. If the service were ever discontinued, accounts would get a minimum 60-day window and help exporting.

Reporting a vulnerability

Email ben@producedbyben.co.uk with details. You'll get a response within two business days, and a fix or mitigation plan before any public disclosure.