Security overview
Last updated: 2026-07-16
the individual sole trader operating the myPitLab service in England and Wales operates myPitLab as a multi-tenant field survey platform. This page summarises the controls we use today — factual product behaviour, not marketing claims or certifications we have not obtained.
1. Organisation isolation
Customer records are scoped to an organisation. Database access is enforced with Row Level Security (RLS) so authenticated users only see data for organisations they belong to. Object storage paths are organised by organisation ID.
2. Where data is stored
- Supabase Postgres — accounts, projects, inspections, measurements, audit logs
- Cloudflare R2 — photos, Smart Capture video/models, PDFs, and documents (private buckets; access via signed URLs)
- Vercel — application hosting
- Modal — optional ephemeral GPU processing for Smart Capture (reads/writes artefacts via secured worker callbacks)
3. Access & encryption
- HTTPS / TLS for data in transit
- Provider encryption at rest (Supabase and Cloudflare R2)
- Time-limited signed URLs for private object downloads
- MFA enforced for privileged roles in production (unless explicitly disabled)
- Session idle and absolute timeout controls
- Client share links for Smart Capture expire by default (30 days), support an optional passphrase, and can be revoked from the scan results screen
- Public share endpoints are rate-limited; passphrase unlock attempts use a stricter limit
- Smart Capture video uploads are size-capped and content-sniffed (WebM/MP4) before storage
4. Privacy & rights
Users can export or request deletion of personal data from the Privacy Dashboard. Our full Privacy Policy lists subprocessors and retention practices.
5. Vulnerability disclosure
Report security issues to security@mypitlab.com or see security.txt. Please do not publicly disclose issues before we have had a reasonable chance to respond.
6. What we do not claim
myPitLab is not presenting itself here as ISO 27001, SOC 2, or Cyber Essentials certified as a product. We operate on infrastructure from providers that publish their own compliance programmes, and we maintain internal security readiness documentation. Ask us if you need a DPA or a written security questionnaire for procurement.
Questions: support@mypitlab.com