Security & Trust
Last updated: 6 June 2026
1. Who We Are
GovClara is a product of Alhawaseeb Information Technology, a company registered in Amman, Jordan. We provide IT vendor and contract governance software to organisations across MENA and EMEA. For security enquiries contact us at security@govclara.com.
2. Data Storage & Residency
Your data is stored in a managed PostgreSQL database provided by Supabase, running on AWS eu-central-1 (Frankfurt, Germany). Supabase is SOC 2 Type II certified — you can review their compliance documentation at supabase.com/security.
The GovClara application backend runs on Railway (europe-west4 — Netherlands). The frontend is served via Vercel's global edge network, with European points of presence.
All primary data storage and compute is within the European Union. If your organization requires specific in-country data residency beyond the EU, contact us at security@govclara.com to discuss options.
3. Encryption
- In transit: All connections to GovClara use HTTPS enforced via TLS 1.2 or higher. Plain HTTP is not accepted.
- At rest: Data stored in Supabase is encrypted at rest using AES-256.
- Passwords: User passwords are hashed using Argon2id before storage. We never store plaintext passwords.
- Uploaded files: Contract PDFs uploaded to the platform are stored in Supabase Storage with per-organisation path isolation.
4. Application Security
- Authentication: Sessions are managed using short-lived JWT access tokens (30-minute expiry) and rotating refresh tokens (7-day expiry).
- Multi-tenancy: Each organisation's data is isolated at the application layer and enforced via Supabase Row Level Security (RLS) policies. No organisation can access another's data.
- Rate limiting: All API endpoints are rate-limited to protect against brute-force and abuse.
- Audit log: Every data-modifying action within your organisation is recorded in an immutable, hash-chained audit log.
- Penetration testing: The platform has been tested against OWASP Top 10 attack scenarios including SQL injection, XSS, broken access control, and credential stuffing.
5. GDPR & Data Processing
GovClara acts as a data processor on behalf of your organisation. Your organisation is the data controller for the vendor and contract data you enter into the platform.
We process personal data only as necessary to provide the service and as described in our Privacy Policy. We do not sell, rent, or share your data with third parties for marketing purposes.
If your organisation requires a Data Processing Agreement (DPA) — for example, for GDPR compliance — contact us at security@govclara.com and we will provide one.
We commit to notifying affected customers within 72 hours of becoming aware of a personal data breach, in line with GDPR Article 33 obligations.
6. Subprocessors
We use the following third-party subprocessors to deliver the service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database & file storage | EU (AWS eu-central-1, Frankfurt) |
| Railway | Backend hosting | EU (europe-west4, Netherlands) |
| Vercel | Frontend hosting & CDN | Global edge |
| Paddle | Payment processing | UK / USA |
| Resend | Transactional email | USA |
| Groq | AI assistant (no training on your data) | USA |
7. Responsible Disclosure
If you discover a security vulnerability in GovClara, please report it to security@govclara.com. We ask that you give us reasonable time to investigate and remediate before any public disclosure. We do not pursue legal action against researchers who act in good faith.
8. Contact
For security questions, DPA requests, or data deletion requests:
Alhawaseeb Information Technology · Amman, Jordan