Step 1 — Run SQL in Supabase

Open your Supabase project → SQL Editor → paste and run the SQL in the HTML comment at the top of admin.html. This creates the profiles and module_access tables with RLS policies and a trigger that auto-creates profiles for new signups.

Step 2 — Make yourself admin

After running the SQL above, run this to promote your account:

Step 3 — Invite staff

New users who sign up (or are invited via Supabase Auth) automatically get the user role. Use the Users tab above to promote anyone who needs admin access. Use the Module Access tab to control which modules users can see.

About roles

Admin — Full access to all modules, all management features (Manage templates, Settings, Edit Templates), and this Admin Panel.

User — Access only to modules enabled by admins. Cannot see template management, pricing settings, or this admin panel. Can view data, generate documents, add references, and use all workflow tools.

✅ HTTPS / TLS 1.3

All traffic is encrypted in transit via Cloudflare TLS. HSTS is enforced (max-age 2 years) — browsers will always use HTTPS.

✅ Data Encrypted at Rest

Supabase encrypts all database data at rest using AES-256. Backups are also encrypted. No plaintext storage of any data.

✅ Passwords Hashed

User passwords are never stored. Supabase Auth uses bcrypt hashing. Password resets are handled via secure email links.

✅ Row Level Security (RLS)

All database tables enforce RLS. Users cannot read or write data outside their permitted scope. Role escalation is blocked at the database level via security-definer policies.

✅ Content Security Policy

HTTP security headers are served by Cloudflare Pages: CSP, X-Frame-Options (clickjacking protection), HSTS, Permissions-Policy, Referrer-Policy, and CORP/COOP headers.

✅ Session Security

Supabase JWT sessions expire automatically. The portal auto-signs-out users after 60 minutes of inactivity. Tokens are stored in sessionStorage only (cleared on tab close).

Lawful Basis

Processing of staff and client data is carried out under Legitimate Interests (internal operational tool for accounting practice) and Contract (staff employment). No special category data is processed.

Data Minimisation

Only data necessary for operations is collected: staff email/name for access control; client names/refs/job numbers for workflow; task descriptions for planning. No tracking, analytics, or advertising data.

Data Location

Data is stored in Supabase. Check your Supabase project region — for UK/EU compliance, the project should be in the EU West region. If in US regions, ensure Standard Contractual Clauses (SCCs) are in place via Supabase's DPA.

Supabase Privacy Policy →   Supabase DPA →

Data Retention

No automatic retention enforcement is currently configured. Recommended: review and archive/delete completed proposals and closed job records annually. Staff data (profiles) should be deleted within 30 days of a staff member leaving.

Data Subject Rights

Staff data subjects may exercise their rights (access, erasure, portability) by contacting the practice. Use the Right to Erasure button in the Users tab to anonymise a user's profile. Full account deletion requires removing the user from Supabase Auth (Authentication → Users in your Supabase dashboard).

Data Breach Procedure

In the event of a suspected breach: (1) immediately revoke affected user sessions via Supabase Auth dashboard; (2) rotate the Supabase anon key in project settings; (3) notify the ICO within 72 hours if personal data is likely compromised; (4) notify affected individuals if high risk.

ICO Report: ico.org.uk →

Recent admin actions. Requires audit_log table — run the SQL in the setup tab to create it.