This statement describes BBB’s data residency, processing, and access posture in plain language. It exists to answer the questions GCC procurement teams reasonably ask: Where does my data live? Who can read it? What happens if a regulator asks?

Where your data is stored

All Customer Data is stored in Supabase Postgres in the AWS ap-south-1 (Mumbai) region. We chose ap-south-1 because:

• It satisfies Saudi PDPL adequacy provisions for cross-border data transfers.
• It is the geographically nearest region to the Gulf with full Postgres + Supabase support.
• Latency from Doha, Riyadh, Dubai, and Manama is consistently under 40ms.

Backups are stored in the same region. Encryption keys are stored in AWS KMS in the same region.

For Enterprise customers requiring strict in-country residency, we offer on-premise deployment of the BBB stack on customer-owned hardware. In that configuration, no Customer Data leaves your network. Pricing is bespoke; engagement quoted by scope.

Who can access your data

In normal operation: only you and your authorized users, authenticated via Supabase Auth and scoped by Postgres row-level security (RLS).

For support: only when you grant access. Our support engineers see anonymized error logs by default. Inspecting individual Customer Data requires:

1. An explicit support ticket from you naming what you’d like us to see.
2. Time-bounded grant from your admin (usually 24 hours).
3. An audit-log entry recording who accessed what, when, and why.

For incident response: only when isolated to the affected scope. If we detect an active security incident, our incident response team has time-limited access to triage. All access is audit-logged and reviewed by Argus’s department afterwards.

For compliance: never without your explicit cooperation. We do not respond to data requests from any government or law enforcement agency without serving you notice first (unless a binding gag order prevents notice, in which case we challenge the order).

How your data is encrypted

• In transit: TLS 1.3 with HSTS preload. No HTTP fallback.
• At rest in the database: Postgres TDE for the volume; per-tenant DEK encryption for sensitive columns (OAuth tokens, integration credentials, etc.).
• At rest in backups: AES-256-GCM with separate keys.
• Tenant-controlled KEK: your master key wraps your DEK. We never see the plaintext of your master key. You can rotate it on a schedule you control.

The result: even an attacker who exfiltrated our raw database files could not decrypt your tokens without your master key.

What happens at regulatory boundaries

We’ve engineered for the most common scenarios in the GCC:

Saudi PDPL data subject access request

Saudi law requires us to respond to verified Data Subject Access Requests within 30 days. BBB’s audit log + per-tenant data structure means we can produce the export within hours of receiving a verified request, without bespoke engineering work.

UAE PDPL cross-border transfer

UAE law allows cross-border transfer where adequate protections exist. ap-south-1 satisfies this; if the legal framework changes, we will migrate. We maintain a documented incident-response playbook for that scenario.

Qatar PDPPL

Qatar’s law mirrors Saudi PDPL closely. The same operational posture applies.

EU GDPR adequacy

BBB does not currently sell to EU customers. If you operate in both the GCC and the EU and need GDPR-aligned data handling, we follow GDPR principles for relevant data flows. Get in touch and we’ll walk through your specific situation.

”What if you go away?”

If BBB ceases operations, you have a 90-day window to export your data. The customer portal supports full export at any time; even without our active cooperation, the data dump is yours. We will publish wind-down procedures publicly if that ever becomes relevant.

What we publish

We believe in publishing the bar before promising we clear it. The following are publicly documented at:

• STRIDE threat model: shipped in our repo; available on request
• Jailbreak Atlas: documented adversarial prompts + mitigations
• Honeytoken policy: deployment + rotation cadence
• Incident classification matrix: severity definitions + customer notification commitments
• PDPL gap analysis: full mapping of BBB controls to PDPL articles

Contact

• Data sovereignty inquiries: [email protected]
• Security disclosures: [email protected] (PGP key on request)
• Procurement / vendor questionnaires: [email protected]

We typically reply within one business day.