Trust

Security

MaidCopilot is built to handle sensitive personal data — maid biodata, employer records, and WhatsApp conversations. This page describes the technical and organisational controls we use to keep that data secure.

🔐

Data isolated by design

Row-Level Security enforced at the database layer. Each agency's data is invisible to all other workspaces.

🇸🇬

Singapore data residency

All primary data is stored in AWS ap-southeast-1 (Singapore). No customer data is stored outside Singapore except where you choose to send WhatsApp messages.

📋

Full audit trail

Every material data change is recorded with user identity and timestamp. Audit logs are retained for 5 years.

Data security

Encryption & isolation

Encryption in transitAll connections between your browser, the MaidCopilot application, and the database use TLS 1.2 or higher. Connections over plain HTTP are rejected.

Encryption at restAll data stored in the database and all uploaded documents (PDFs, identification copies) are encrypted at rest using AES-256.

Row-Level SecurityEnforced at the Postgres database layer using Supabase RLS policies. Queries from one agency workspace cannot return rows belonging to another.

Webhook HMAC verificationAll inbound WhatsApp webhooks from Meta are verified using HMAC-SHA256 signatures before any message is ingested. Unsigned or invalid requests are rejected.

Access control

Authentication & permissions

Passwordless authenticationMaidCopilot uses magic-link authentication. No passwords are stored. Login links are single-use and expire after a short period.

Role-based access controlTwo roles: Owner (full workspace access, billing, settings) and Coordinator (inbox, cases, biodata). Role assignments are enforced server-side.

Team member deactivationAgency owners can deactivate team members instantly. Deactivated accounts lose all platform access immediately, including active sessions.

Production access controlsDirect access to production infrastructure is restricted to authorised Coreframes Lab personnel. All production access is logged.

Infrastructure

Hosting & reliability

MaidCopilot is built on managed infrastructure from established providers, each operating their own security programmes.

Stack

● Database & storage — Supabase / AWS ap-southeast-1 (Singapore)

● Backend API — Railway (Singapore region)

● Frontend — Vercel CDN (no personal data at edge)

● WhatsApp — Meta Cloud API (message delivery only)

Supabase and Railway provide automatic daily backups. Backup retention and restoration procedures are tested periodically. For the full subprocessor list including entity country and data location, see our Subprocessors page.

Audit logging

Accountability

MaidCopilot maintains an immutable audit log of all material data operations within a workspace. Each log entry records:

The action performed (create, update, delete)
The resource affected (e.g., maid record, case, team member)
The user who performed the action (user ID and email)
The timestamp (UTC)

Audit logs are accessible to agency Owners from within the platform and are retained for 5 years.

Incident response

Breach notification

In the event of a confirmed security incident that affects customer personal data, Coreframes Lab will:

Notify affected customers within 3 business days of confirming the incident
Provide details of the nature of the incident, the data and individuals affected, likely consequences, and remediation steps taken
Notify the Personal Data Protection Commission (PDPC) within the timeframes required by the PDPA Mandatory Data Breach Notification obligation, where applicable

Customers with a signed DPA are covered by the breach notification obligations described in the Data Processing Agreement.

Vulnerability disclosure

Responsible disclosure

If you discover a security vulnerability in MaidCopilot, please report it responsibly by emailing us directly. We will acknowledge your report within 2 business days and work to resolve confirmed vulnerabilities promptly.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it. We do not currently operate a bug bounty programme.

Security reports: admin@coreframeslab.com — please include "Security Report" in the subject line.

Security contact

Get in touch

For security-related questions, vulnerability reports, or to request additional security documentation for your procurement or compliance review:

Coreframes Lab — Security

admin@coreframeslab.com

Related: DPA · Subprocessors · PDPA Policy · Compliance overview