Security

Data Encryption

• In transit: All data is encrypted using TLS 1.3 for every connection between your browser, our servers, and third-party services.
• At rest: All data stored in our database is encrypted using AES-256 encryption, managed by Supabase on AWS infrastructure.

Data Residency

All primary data is stored in the European Union. Our database is hosted in AWS eu-central-1 (Frankfurt, Germany) via Supabase. Our application is deployed on Vercel with EU routing (Ireland). We do not store customer data outside the EU.

Authentication

• Authentication is managed through Supabase Auth with industry-standard password hashing (bcrypt).
• Session tokens are securely managed with appropriate expiry policies.
• Slack integration uses OAuth 2.0 with scoped permissions limited to only the channels and actions required by the platform.

Access Control

• Tenant isolation: All data is scoped to your organisation. There is no cross-tenant data access. Database queries enforce organisation-level filtering at the application layer.
• Role-based access: Users within an organisation are assigned roles that control their permissions within the platform.
• Internal access: Multiply staff access to production data is restricted and logged.

Infrastructure

• Application hosting: Vercel edge network with automatic DDoS protection, global CDN, and serverless compute.
• Database: Supabase managed PostgreSQL with automated backups, point-in-time recovery, and connection pooling.
• Rate limiting: API rate limiting via Upstash Redis to prevent abuse and ensure fair usage.

Monitoring

• Error tracking: Sentry provides real-time error monitoring and alerting across the application (EU-hosted instance).
• Uptime monitoring: Betterstack monitors platform availability with automated alerting and incident escalation.
• Structured logging: Application logs are structured and retained for operational debugging and security review.

Incident Response

In the event of a security incident, we follow a structured response process:

1. Detection and containment: Automated monitoring alerts our engineering team. Affected systems are isolated immediately.
2. Assessment: We evaluate the scope and impact of the incident, including whether customer data was affected.
3. Notification: Affected customers are notified within 72 hours as required by GDPR. We provide clear details of what occurred and what actions we are taking.
4. Remediation: We resolve the root cause, implement preventive measures, and document lessons learned.

AI Data Processing

Multiply uses Mistral AI (Paris, France) to generate campaign content from your training materials.

• Training content is sent to AI providers solely for the purpose of generating behavioural analyses and campaign messages.
• Content is processed in-transit and is not stored by AI providers beyond the duration of the API request.
• Your training content is not used to train or fine-tune AI models.
• All AI-generated output is presented to you for review and approval before deployment to learners and managers.
• Personal data (learner names, manager names) is not sent to AI providers. Only training content and organisational context are transmitted.

Responsible Disclosure

If you discover a security vulnerability in the Multiply platform, please report it to security@multiplytransfer.com. We ask that you give us reasonable time to investigate and address the issue before disclosing it publicly. We do not pursue legal action against good-faith security researchers.

Compliance Roadmap

• GDPR: Compliant. We operate as a data processor under the GDPR and offer Data Processing Agreements on request.
• SOC 2 Type II: Planned. We are working toward SOC 2 Type II certification to provide independent assurance of our security controls.