How we protect your data.

Data residency

Application and database services run in Supabase's Sydney region (ap-southeast-2). Customer data is encrypted at rest and in transit.

Authentication

We sign users in with passwordless email magic links. Sessions are managed via Supabase Auth with SameSite-strict cookies. Admin paths require a separate elevation factor.

Tenant isolation

Postgres row-level security policies enforce per-user access to bookmarks, saved searches, bid drafts, and profile data. Service-role writes are restricted to scheduler and webhook code paths.

Responsible disclosure

Report a vulnerability to security@arkqon.com. We acknowledge within one business day and target a fix or mitigation within 30 days for high-severity issues.