How Compliance Hub Core hosts, protects and isolates your data.

The application is hosted on Vercel's global edge network as a Next.js app. TLS is terminated and certificates are managed automatically by Vercel; static assets are served from the edge CDN, with server rendering and API routes on Vercel's serverless runtime.

Each hub in the JonnyAI suite (Compliance, FM Control, Care) is an isolated Vercel project with its own environment and domain.

Data is stored in a dedicated, managed Supabase PostgreSQL project that is independent from the company's other products — so this product's data is isolated and can be migrated or white-labelled on its own.

It is a managed PostgreSQL 17 instance hosted in the EU (eu-west-1, Ireland). Files (certificates, evidence, reports) are held in Supabase Storage and served only to authenticated, authorised users via short-lived signed URLs.

The project currently runs on the Supabase Free tier (see Backups & recovery for the implications).

Authentication is handled by Supabase Auth (email/password and Google sign-in). Every request is server-validated.

Access is enforced in the database with Row Level Security: users only ever see records for organisations and sites they are members of. Roles include super admin, organisation compliance manager, site management, staff and a restricted contractor portal. Privileged data is never exposed to the browser unscoped.

Create, update and delete activity across operational records is captured by database triggers into an append-only activity log, independent of the application layer. The log records who, what, when and the before/after JSON for every operational write.

Signed-in customers can view it in-app at /activity.

The database runs on Supabase's managed Postgres (currently the Free tier). The Free tier does not include managed automated daily backups or point-in-time recovery; in the interim, data durability is supported by the platform's version-controlled schema and seed scripts plus periodic manual exports.

Upgrading the Supabase project to the Pro tier enables daily automated backups and a 7-day point-in-time recovery window — recommended before onboarding production clients.

Customer data is retained for 3 months after offboarding, then permanently deleted.

On request, a full data export is provided in CSV format before deletion. See the data deletion policy.

The platform is built for UK operators and the data model is structured for least-privilege access and auditability.

Sub-processors: Vercel (application hosting & edge CDN), Supabase (database, authentication and file storage), and Resend (transactional / digest email). No customer data is shared with other third parties.

Data controller / processor: Aleejy AI (United Kingdom). Privacy and data-protection enquiries: info@jonnyai.co.uk. Registered company address and data-processing agreements are available on request via that address.

Report suspected security issues or data breaches to info@jonnyai.co.uk. We aim to acknowledge within one business day.

Where a personal-data breach is confirmed, affected controllers are notified without undue delay and within 72 hours of us becoming aware, in line with UK GDPR Articles 33–34.

Email support: info@jonnyai.co.uk — best-effort response within two business days for Starter, one business day for Professional and white-label customers. Full terms in the support policy.