Security

How we protect your data and maintain the integrity of the BI Method platform.

Last updated: 24 April 2026

If you believe you have found a security vulnerability, please report it responsibly to security@behaviourintelligenceplatform.com before disclosing it publicly. We aim to acknowledge all reports within 72 hours.

Infrastructure and Hosting

Powered by Supabase on AWS EU-West

The BI Method platform is hosted on Supabase, which runs on Amazon Web Services infrastructure in the EU (eu-west-1). All data is stored and processed within the European Economic Area, satisfying UK GDPR and EU GDPR data residency requirements.

  • Database: PostgreSQL managed by Supabase, with automated daily backups retained for 7 days.
  • File storage: Supabase Storage (S3-compatible), with server-side encryption at rest.
  • CDN and edge: Cloudflare for DDoS mitigation and TLS termination.
  • Uptime monitoring: 99.9% SLA target; status available at Supabase's status page.

Data Encryption

Encryption in transit and at rest

In Transit

All communication between your browser and our servers is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.

At Rest

All database data and stored files are encrypted at rest using AES-256, managed by Supabase's underlying AWS infrastructure. Encryption keys are managed by AWS KMS and are rotated automatically.

Passwords

User passwords are never stored in plaintext. They are hashed using bcrypt (via Supabase Auth) with a minimum cost factor of 10. We enforce a minimum password length and maintain a password history to prevent reuse of recent passwords.

Access Controls

Role-based access and least privilege

Access to data is governed by Row Level Security (RLS) policies enforced at the database layer. No application code can bypass these policies — every query runs as the authenticated user and is subject to their permission set.

User Roles

  • Member: access to their own assessments, results, and profile only.
  • Team Lead: access to their own team's aggregated results; cannot see individual member responses.
  • Admin: organisation-scoped access; cannot access data outside their organisation.
  • Platform Admin: platform-wide access, restricted to The BI Method staff. All actions are audit-logged.

Internal Access

Direct database access by BI Method staff requires multi-factor authentication and is logged in an immutable audit trail. We operate on a need-to-know basis and review access rights quarterly.

Authentication Security

The platform uses Supabase Auth, which implements industry-standard authentication practices:

  • JWT-based session tokens with short expiry and automatic refresh.
  • Rate limiting on login, signup, and password reset endpoints to prevent brute-force attacks.
  • Account lockout after repeated failed login attempts, with notification to the account holder.
  • Security alerts sent by email when a new device or location is detected logging in to your account.
  • Password reset tokens are single-use and expire after 1 hour.

Organisational Security Measures

In accordance with UK GDPR Article 32, we implement the following organisational measures:

  • All staff with access to personal data receive data protection training.
  • Data processing activities are documented in a Record of Processing Activities (RoPA).
  • We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
  • Third-party processors are assessed for compliance and subject to Data Processing Agreements.
  • We maintain a list of approved subprocessors and notify customers of any changes with 30 days' notice.

Incident Response

What we do if something goes wrong

We maintain a documented incident response plan. In the event of a data breach or security incident:

  • We will assess the severity and scope within 24 hours of detection.
  • If the incident is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO (Information Commissioner's Office) within 72 hours as required by UK GDPR Article 33.
  • We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (UK GDPR Article 34).
  • We will conduct a post-incident review and implement remediation measures.

Vulnerability Disclosure

Responsible disclosure policy

We welcome reports of security vulnerabilities from security researchers and the broader community. If you discover a potential vulnerability, please:

  • Email us at security@behaviourintelligenceplatform.com with a description of the issue and steps to reproduce it.
  • Give us reasonable time to investigate and remediate before public disclosure.
  • Do not access, modify, or delete data belonging to other users during your research.

We will acknowledge your report within 72 hours and keep you informed of our progress. We do not currently offer a bug bounty programme, but we recognise responsible disclosures publicly if you consent.

Questions about our security practices? Contact us at security@behaviourintelligenceplatform.com.