DAFTAR

Trust centre

Trust, security & privacy

This page is maintained by Daftar to answer common security and privacy questions about the product. It describes practices currently in place; it is not an independent certification.

Data isolation

Each customer's data lives behind row-level security policies scoped to the organisation membership of the signed-in user. Cross-tenant reads are denied by the database itself, not only by application code. Privileged operations (role grants, webhook ingest) are gated server-side and verified before any write.

Tamper-evident records

Every issued invoice and credit note is sealed with a cryptographic hash that chains to the previous document in the series. The hash, sequential number, and previous hash are immutable from client sessions — only the issue flow can mint them. Auditors and tax inspectors can verify the chain end-to-end without trusting the application.

Authentication

Daftar supports email/password and Google sign-in. Passwords are hashed by the auth provider; we never see them in plaintext. Sessions use httpOnly refresh rotation and time out on inactivity. Team members are invited by email with role-based access (owner, accountant, viewer); roles are stored in a separate table and validated by security-definer functions to prevent privilege escalation.

Encryption

Data is encrypted in transit (TLS 1.2+) and at rest on managed Postgres storage. Database backups are encrypted. Object storage (PDF attachments, uploads) is private by default and accessed through signed URLs.

Hosting & data residency

The application runs on a global edge runtime; the primary database and storage are hosted by Supabase. We will surface region-residency options as Oman and GCC-region compliance regimes (OTA e-invoicing, ZATCA, UAE FTA, PDPL) finalise their requirements. Reach out if you need a specific region today and we will discuss options.

What we collect

We collect the data you enter to run your business (clients, invoices, expenses, bank transactions) and standard account metadata (email, sign-in events, IP for security). We do not sell personal data. See the Privacy policy for full detail.

Subprocessors

Daftar uses Supabase (database, auth, storage), Cloudflare (edge runtime, CDN), and Google Gemini (for in-app AI features only when you use them). Customer financial data is not sent to Gemini unless you explicitly invoke an AI action.

Audit log

Every create, update, and delete on financial records is captured to an append-only audit log scoped to the organisation, with the acting user, timestamp, table, and before/after payload. Owners can export this for inspection.

Reporting a vulnerability

If you believe you have found a security issue, please email security@daftar.pro with reproduction steps. We will acknowledge within two business days. Please do not test against other customers' data.

Last reviewed: June 2026.