Security Overview
We take the security of your lab data seriously. This page describes the technical and organisational measures we implement to protect your information.
Security at a glance
Encryption
All data encrypted in transit via TLS 1.2+
All data encrypted at rest (AES-256)
Private file storage with signed URLs
Access control
Role-based access control (RBAC)
Row-level security enforced at database level
Multi-tenant org isolation
Infrastructure
Hosted on Vercel (SOC 2 Type II)
Database on Supabase EU West (London)
No data leaves the EU for primary storage
Auditability
Audit log of key actions
Supabase Auth session management
Per-org data isolation
Multi-tenant data isolation
Every piece of data in LevelSixLabs is scoped to an organisation. Database Row-Level Security (RLS) policies are enforced at the database level — not just in application code — ensuring that one organisation cannot access another's data, even in the event of an application bug.
Organisation isolation is enforced by a SQL helper function (auth_organisation_id()) that verifies the caller's identity on every query.
Access control
LevelSixLabs implements a four-tier role hierarchy:
| Role | Capabilities |
|---|---|
| Super Admin | Full access to all data and settings within their organisation |
| Admin | Manage users, equipment, chemicals, bookings |
| Staff | Create and manage their own records within permitted modules |
| Student | View-only access to permitted modules |
Permissions can be further customised per user at a module and action level (view / create / edit / delete / verify / manage). Training-gated equipment bookings enforce additional safeguards.
Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted using AES-256 by Supabase (PostgreSQL on AWS RDS)
- Uploaded files (SDS documents, service certificates) are stored in private Supabase Storage buckets with per-organisation access controls
- Files are served via short-lived signed URLs (1-hour expiry) — never via public URLs
- Authentication tokens are httpOnly, Secure cookies managed by Supabase Auth
Authentication
- Email/password authentication with Supabase Auth
- Google and Microsoft OAuth SSO available
- Sessions are automatically refreshed and expired by Supabase
- Password reset via email with time-limited secure tokens
- Email invitations with single-use links
File upload safety
- Uploads are restricted to specific MIME types per feature (PDF, JPEG, PNG, WEBP, XLSX)
- File size limits enforced (25 MB for service records, varies by feature)
- Files are stored in private buckets — not accessible without authentication
- Storage paths include organisation ID to enforce org-level isolation
Security headers
- Content-Security-Policy (CSP) — restricts resource loading to trusted origins
- X-Frame-Options: SAMEORIGIN — prevents clickjacking
- X-Content-Type-Options: nosniff — prevents MIME-sniffing attacks
- Strict-Transport-Security (HSTS) — enforces HTTPS for 2 years
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy — disables access to camera, microphone, geolocation at the browser level
Incident response
In the event of a data breach affecting personal data, we will notify affected customers and, where required by UK GDPR, the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.
Compliance
- UK GDPR compliant data handling and processing
- Data stored in EU West (London) region by default
- Data Processing Agreement (DPA) available on request
- Annual security review planned
To request a Data Processing Agreement, contact privacy@levelsixlabs.com.
Infrastructure security
| Provider | Certification |
|---|---|
| Vercel (hosting) | SOC 2 Type II |
| Supabase (database + auth) | SOC 2 Type II |
| Stripe (payments) | PCI DSS Level 1 |
Security documentation for each provider is available on their respective trust pages.
LevelSixLabs Ltd
Registered in Scotland, United Kingdom.
For any questions about this document, contact us at privacy@levelsixlabs.com