Security
How to report vulnerabilities, our response targets, and the security posture of the platform.
Reporting a vulnerability
Email security@kefilex.com with details. If the issue is sensitive enough to warrant encryption, mention it in your first message and we’ll exchange a PGP key.
We commit to acknowledging every report within one UK working day and providing a status update at least weekly until resolution.
Response targets
- High severity
- Patched as soon as practically possible. Active exploitation in the wild triggers an out-of-hours response.
- Medium severity
- Patched within 3 UK working days of confirmation.
- Low severity
- Patched within 3 weeks; tracked in the issue backlog.
Encryption posture
- In transit: HTTPS only, TLS 1.2 or higher (TLS 1.3 preferred). All non-HTTPS traffic is redirected. HSTS enabled.
- At rest: Postgres database storage encrypted with AES-256 by the database provider (Supabase). Long-lived third-party credentials (e.g. Clio refresh tokens) are additionally encrypted at the application layer.
- Secrets: API keys and client secrets live only in Netlify environment variables; never committed to the repository.
Sub-processors
Kefilex relies on the following sub-processors. All process data on our behalf under written terms.
- Supabase
- Postgres database, authentication, file storage. Data hosted in eu-west-2 (UK).
- Netlify
- Web hosting, edge functions, background functions. Builds in eu-west-2.
- Resend
- Transactional email delivery (welcome emails, alerts).
- Stripe
- Payment processing and subscription billing. Card details never touch Kefilex servers.
- PostHog
- Product analytics, EU region. Loaded only with explicit user consent on trial tenants.
- Clio
- Practice-management data source. Connected per-tenant via OAuth, only with the customer’s consent.
Compliance posture
- UK GDPR & EU GDPR: Data residency in the UK / EU. Subject-access requests honoured within statutory timelines.
- MVSP: Self-attested against the Minimum Viable Secure Product controls. Detailed results below.
- SOC 2 / ISO 27001: Not certified today. On the roadmap once revenue justifies the audit cost.
MVSP self-attestation
Self-assessment against the Minimum Viable Secure Product v3 controls (mvsp.dev). Status as of 13 May 2026. Legend: ● satisfied, ● partial (inherent or planned), ● not yet, ● not applicable.
1 — Business controls
- 1.1
- ●Vulnerability disclosure
- security@kefilex.com + SLA published above + SECURITY.md in repo.
- 1.2
- ●Customer testing
- Allowed on request; no permanent program yet.
- 1.3
- ●Self-assessment
- This page is the annual self-assessment.
- 1.4
- ●External penetration testing
- Planned once revenue supports a credentialed vendor.
- 1.5
- ●Role-specific training
- Small team; security awareness inherent. Formal training as headcount grows.
- 1.6
- ●Compliance
- UK GDPR adherent; SOC 2 / ISO 27001 deferred (above).
- 1.7
- ●Incident handling
- 72-hour breach notification policy (above).
- 1.8
- ●Data sanitisation
- Inherited from sub-processors (Supabase + Netlify NIST 800-88-aligned).
2 — Application design
- 2.1
- ●Single sign-on
- Email magic-link via Supabase Auth (passwordless). Customer-IdP SSO (SAML) on the post-revenue roadmap.
- 2.2
- ●HTTPS-only
- HSTS enabled by Netlify; HTTP redirected; auth cookies Secure.
- 2.3
- ●Security headers
- CSP and X-Frame-Options under review; will publish results before stage-1 submission.
- 2.4
- ●Password policy
- We don't store passwords — magic-link only via Supabase Auth.
- 2.5
- ●Security libraries
- Next 16, React 19, Supabase SSR, postgres-js — current versions, parameterised queries throughout.
- 2.6
- ●Dependency patching
- Dependabot security updates + weekly minor/patch PRs; CI gates on npm audit.
- 2.7
- ●Logging
- Application logs via Netlify (14-day retention); auth events via Supabase audit logs. Mutation audit in platform.admin_actions retained indefinitely.
- 2.8
- ●Encryption
- TLS 1.2+ in transit; AES-256 at-disk via Supabase; Clio refresh tokens additionally encrypted at application layer (pgcrypto).
3 — Application implementation
- 3.1
- ●List of sensitive data
- Sub-processor list above implies the inventory; formal sensitive-data register on the post-MVSP roadmap.
- 3.2
- ●Data flow diagram
- Architecture documented in internal Notion; public-facing data-flow diagram planned with the marketing-site rebuild.
- 3.3
- ●Vulnerability prevention
- CSRF state in OAuth, HMAC-verified webhooks, parameterised SQL via postgres-js tagged templates, Next/React inherent XSS escaping, server-side input validation on every Server Action.
- 3.4
- ●Time to fix
- High ASAP, medium 3 business days, low 3 weeks (table above).
- 3.5
- ●Build and release
- Git + GitHub; Netlify CI builds from main; secrets only in Netlify environment variables, never in source.
4 — Operational controls
- 4.1
- ●Physical access
- No own data centre. Supabase + Netlify manage physical security at their facilities (each independently SOC 2).
- 4.2
- ●Logical access + MFA
- Sole admin today; MFA enforced on GitHub, Supabase, Netlify, Clio developer accounts. Will formalise as headcount grows.
- 4.3
- ●Sub-processor list
- Published above; revisited as part of this annual self-assessment.
- 4.4
- ●Backup & DR
- Supabase point-in-time recovery (7-day window) + daily logical backup. Formal DR runbook + restore drill on the post-MVSP roadmap.
Total: 12 satisfied / 9 partial / 2 not yet / 2 not applicable. Status revisited on the anniversary of this page or whenever a control materially changes.
Breach notification
In the event of a confirmed breach affecting customer data, we will notify affected customers without undue delay and in any case within 72 hours of confirmation, with the information required by UK GDPR Article 33(3). Initial notice is by email to the customer’s registered administrator address.
Public status page
Live uptime + recent incidents for app.kefilex.com, admin.kefilex.com and our public surfaces:
Monitored externally by BetterStack on a 3-minute cadence. Incidents are auto-published; subscribe by email on the status page if you want notifications.
Customer data deletion
Disconnecting the Clio integration removes our active session immediately. Cached Clio-sourced data (matters, contacts, time entries, bills) is retained for 30 days and then permanently deleted. Customers can request immediate deletion from the admin settings page in the application.