frommby
Security
frommby is small but we take this seriously. Here's exactly how the site is built, where your data lives, and what we do to protect it.
Last updated .
The short version. We run on Vercel and Supabase — two well-known platforms with strong security defaults. Your waitlist data sits in a Postgres database in the EU, encrypted at rest and in transit, and the public website can only insert new records, never read them. If you spot something we've missed, please email hello@frommby.com.
Infrastructure
We deliberately use a small number of well-understood, well-staffed platforms rather than rolling our own:
- Vercel hosts the frommby website, serves static assets through its global edge network, and runs the server-side code that handles your form submission. Vercel is SOC 2 Type 2 audited and provides TLS, DDoS mitigation and request isolation as standard.
- Supabase provides our Postgres database. Our project is hosted in the European Union. Supabase runs on AWS infrastructure with SOC 2 Type 2 and HIPAA-eligible controls; data is encrypted at rest with AES-256 and in transit with TLS 1.2+.
- postcodes.io is a public service we use only to convert a UK postcode into approximate coordinates. It receives the postcode and nothing else — no name, no email.
That's the full list. There's no third-party analytics, no advertising network, no tag manager, no chat widget.
Data in transit
Every connection to the frommby site is served over HTTPS with modern TLS — there is no HTTP option. Certificates are managed automatically by Vercel and renewed on a continuous basis. Traffic between Vercel's server functions and Supabase is encrypted in transit.
Data at rest
Your waitlist record is stored in Supabase Postgres. The underlying disks are encrypted at rest with AES-256. We use the database's built-in spatial type (PostGIS) to store the coordinates derived from your postcode — they're not precise to your home, just close enough to put you in a neighbourhood.
Access control
This is where most "small startup" sites get it wrong, so we want to be precise:
- The Supabase
waitlisttable has Row Level Security enabled. - The only policy on the table allows
INSERTby anonymous users. There is no SELECT, UPDATE or DELETE policy for anonymous traffic. - That means the public website — even using our public Supabase key — can add a waitlist record but cannot read, modify or delete any record.
- Reading the waitlist requires the Supabase service-role key, which lives only in our private environment and is never sent to the browser.
Access to the Supabase and Vercel dashboards themselves is restricted to a very small number of people, with strong passwords and multi-factor authentication required.
Secrets and configuration
Sensitive values — database URLs, service-role keys, third-party tokens — are stored as environment variables in Vercel and Supabase and never committed to our git repository. The site's source code is reviewed before changes go live.
Backups and availability
Supabase performs automated backups of our Postgres database. Vercel builds the site from our git repository, so if our deployment is lost we can rebuild it from source in minutes.
Responsible disclosure
If you think you've found a security issue with frommby — even a small one — we want to hear about it. Please email hello@frommby.com with the detail. We'll acknowledge your message within a couple of working days and keep you updated while we look into it.
Please don't publish the issue or test it against real user data while we're investigating. We treat anyone who acts in good faith with the same.
What we'll add next
When we move beyond the waitlist into real producer and shopper accounts, we'll be adding:
- Supabase Auth for email and magic-link sign-in.
- More granular RLS policies so producers can only read and edit their own listings, and shoppers can only read and edit their own orders.
- A Stripe integration for payments — we won't touch card details ourselves.
This page will be updated when those land.
Get in touch
Anything not covered? Email hello@frommby.com.