Security Policy

First Mate Security — Updated January 2026

Our Commitment

The ReTern takes the security and privacy of your data seriously. Our First Mate CRM and community platform are built on modern, secure infrastructure with enterprise-grade protections.

1. Infrastructure Security

Hosting & Database

  • Supabase: Our database and authentication run on Supabase, which provides enterprise-grade PostgreSQL with row-level security (RLS), encrypted connections, and automatic backups
  • Vercel: Our web application is deployed on Vercel's edge network with automatic SSL, DDoS protection, and global CDN
  • All data in transit: Encrypted via TLS 1.2+ (HTTPS everywhere)
  • All data at rest: Encrypted using AES-256

Authentication

  • Powered by Supabase Auth with secure session management
  • Passwords are hashed using bcrypt with unique salts
  • JWT tokens with short expiration windows
  • Row-level security policies ensure users can only access their own data

2. Payment Security

  • Stripe: All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider
  • We never store credit card numbers, CVVs, or full card details on our servers
  • Payment data is tokenized and processed entirely through Stripe's secure infrastructure

3. Data Access Controls

  • Row-Level Security (RLS): Every database query is filtered by user ID. You can only see your own contacts, activities, and pipeline data
  • Role-based access: Admin functions are restricted to authorized team members only
  • API security: All API endpoints require authenticated sessions with valid JWT tokens
  • No shared data: Your CRM data, contacts, and pipeline are completely isolated from other users

4. Data Retention & Deletion

  • Your data is retained while your account is active
  • Upon account closure, data is deleted within 30 days
  • You can request export or deletion of your data at any time by contacting hello@theretern.com
  • Backup systems may retain encrypted copies for up to 90 days

5. Third-Party Services

We use a limited number of trusted third-party services:

  • Supabase: Database, auth, and storage (SOC 2 Type II compliant)
  • Vercel: Hosting and deployment (SOC 2 Type II compliant)
  • Stripe: Payment processing (PCI DSS Level 1)
  • Google Analytics: Anonymous website analytics

All third-party providers are contractually obligated to protect your data. We regularly review their security practices and compliance certifications.

6. Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly:

Email: hello@theretern.com
Subject: Security Vulnerability Report

We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly. We do not currently offer a bug bounty program.

7. Contact

Questions about our security practices?

Email: hello@theretern.com
Mail: The ReTern, 5 N. Beach, Nantucket, MA 02554

Last Updated: January 2026