Security & trust
What we actually do to protect your data — stated plainly. We list only controls that are live, and we mark what's still planned.
Every workspace sits behind account authentication (email + password or Google sign-in) handled by Supabase Auth. Sessions use short-lived tokens that refresh automatically and can be revoked.
Staff logins are scoped by role. A bar manager sees bar operations, a finance lead sees money, gate crew see check-ins — access to financial data is restricted to the roles you choose.
Each organisation's data is separated per company and per event. Server-side authorisation checks run on every request that touches your data — one customer can never read another's records.
All traffic is served over HTTPS/TLS. Data is stored in Supabase-managed PostgreSQL, which encrypts data at rest.
Sensitive actions — payments approved, budget lines changed, staff access granted — are written to an audit log with who did what and when.
You can export budgets, reports and event data as CSV or PDF at any time, and request full account deletion. Your data is never sold or shared between customers.
The platform runs on Vercel with the database hosted by Supabase, including automated daily backups managed by the database provider.
Public uptime monitoring with a status page you can subscribe to.
Festival Copilot does not currently hold SOC 2, ISO 27001 or similar certifications, and we won't display badges we haven't earned. Our infrastructure providers (Vercel and Supabase) maintain their own compliance programmes. We handle personal information in line with our Privacy Policy, including POPIA and GDPR data-subject rights such as access, export and deletion.
We appreciate responsible disclosure. Email hello@festivalcopilot.com with the details and we'll respond as quickly as we can. Please don't access other customers' data while testing.