Comiine
Security

Security is architecture, not a feature.

Industrial maintenance data is operational intelligence. We protect it at the database layer, not the application layer because application-layer security does not survive a determined contractor with a valid session token.

Principles

Four commitments.

Row-level security at the database

Access control is enforced by PostgreSQL RLS policies, not application code. A compromised API layer cannot read rows it is not authorised for. Every query is filtered before it leaves the database.

Encryption in transit and at rest

Data is encrypted at rest on managed PostgreSQL infrastructure, and every connection is encrypted in transit. Nothing moves between the technician app and the database in the clear.

Immutable audit trail

Every write is recorded with the acting user and timestamp. Signed work is chained cryptographically, so a record cannot be quietly edited after the fact — by anyone, including administrators.

Least-privilege access control

Role-based access by site, team, and asset class, enforced by the same database policies that filter every query. No user sees more than their role requires.

Infrastructure

What runs under the hood.

PostgreSQL + Supabase

All data lives in PostgreSQL with row-level security policies, on managed Supabase infrastructure hosted in the United States today. No proprietary database lock-in.

Offline-first sync

Mobile writes queue locally and sync over encrypted connections when the device reconnects. Conflicts are resolved with an audit record, never silently.

Residency roadmap

African data residency is on our funded roadmap: continental hosting first, sovereign in-country hosting after. We will state exactly where your data lives at every step.

Compliance

What we claim, and what we do not.

Botswana Data Protection Act, 2024

Comiine is built in Botswana and designed to align with the DPA from the schema up. We sign data-processing agreements on request.

Certifications

We do not hold SOC 2 or ISO 27001 today, and we will never imply that we do. Formal certification is on our funded roadmap, and its real status will be published on this page.

Regional readiness

As we deploy across the region, we will meet the data-protection requirements of each market we enter — POPIA included — before we sign customers there.

Practices

How we operate.

Vulnerability disclosure

Responsible disclosure to security@comiine.com. We acknowledge quickly, triage seriously, and credit reporters.

Dependency management

We track security advisories across our dependency tree and treat critical vulnerabilities as stop-work priorities.

Backup and recovery

Automated database backups with documented restore procedures, rehearsed before we ask anyone to trust us in production.

Incident response

If a confirmed breach affects your data, you hear it from us within 24 hours, followed by a written post-incident review.

Questions about security?

We publish what we can and explain what we cannot. Reach us at security@comiine.com or request a DPA.