MicroFlow

Data Protection Policy

Last updated: March 2026

1. Purpose

This Data Protection Policy outlines how MicroFlow DealReg protects the data entrusted to us by our vendor and partner customers. It describes our security architecture, data handling practices, and incident response procedures.

2. Data Controller and Processor Roles

Under applicable data protection legislation:

  • Data Controller: The vendor organisation that subscribes to MicroFlow DealReg and determines the purposes and means of processing deal registration data.
  • Data Processor: MicroFlow by The Channel Sherpas processes data on behalf of the vendor in accordance with their instructions and this policy.
  • Data Subjects: Partner users and customer contacts whose personal data is processed through the platform.

We process data solely for the purpose of providing the MicroFlow DealReg service as instructed by the data controller.

3. Security Architecture

MicroFlow DealReg implements multiple layers of security to protect customer data:

  • Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All database storage and file attachments are encrypted at rest using AES-256 encryption.
  • Authentication: User authentication is managed through Supabase Auth with secure session tokens. Passwords are hashed using bcrypt.
  • Role-based access control (RBAC): Granular permissions ensure users can only access data appropriate to their role (admin, reviewer, read-only, partner user).
  • Row-level security (RLS): Database-level policies enforce tenant isolation, preventing cross-organisation data access even in the event of application-level bugs.

4. Multi-Tenant Data Isolation

MicroFlow DealRegis a multi-tenant platform. Each vendor's data is logically isolated through:

  • Tenant-scoped database queries — every data access is filtered by the authenticated user's organisation.
  • PostgreSQL Row-Level Security policies enforced at the database layer, independent of application code.
  • Separate storage paths for file attachments, scoped per deal and organisation.
  • API routes that validate tenant scope before returning or modifying any data.

5. Data Handling

5.1 Data Storage

Application data is stored in a PostgreSQL database hosted by Supabase. File attachments are stored in Supabase Storage. All infrastructure is hosted in secure, SOC 2 compliant data centres.

5.2 Data Backups

Database backups are performed automatically by our infrastructure provider. Point-in-time recovery is available for the retention period defined by the vendor's subscription tier.

5.3 Data Deletion

When a vendor terminates their subscription or requests data deletion, all associated data — including deal records, user accounts, file attachments, and audit logs — is permanently deleted within 90 days. Vendors can request immediate deletion by contacting info@microflowenablement.com.

5.4 Sub-Processors

We use the following sub-processors to deliver our services:

  • Supabase — Database hosting, authentication, file storage
  • Vercel — Application hosting and CDN
  • Stripe — Payment processing
  • Resend — Transactional email delivery

Each sub-processor is bound by data processing agreements that require them to protect data to standards at least as stringent as those described in this policy.

6. Incident Response

In the event of a data breach or security incident:

  • Our team will investigate and contain the incident within 24 hours of detection.
  • Affected data controllers (vendors) will be notified within 72 hours of confirmed breach, in compliance with GDPR Article 33.
  • A full incident report will be provided, including the nature of the breach, data affected, remediation steps taken, and measures to prevent recurrence.
  • We will cooperate fully with affected parties and relevant supervisory authorities.

7. Employee Access

Access to customer data by MicroFlow personnel is limited to authorised staff who require it for support, maintenance, or incident response. All access is logged and subject to audit. Employees are bound by confidentiality obligations.

8. Compliance

MicroFlow DealReg is designed to support compliance with:

  • General Data Protection Regulation (GDPR)
  • Australian Privacy Principles (APPs)
  • Other applicable data protection legislation in the jurisdictions where our customers operate

9. Policy Review

This policy is reviewed at least annually and updated as needed to reflect changes in our practices, technology, or legal requirements.

10. Contact Us

For questions about this Data Protection Policy, to report a security concern, or to exercise data subject rights, contact us at:

MicroFlow by The Channel Sherpas
Email: info@microflowenablement.com

See also our Privacy Policy for details on how we collect and use personal information.