🔐 Security & GDPR

Built for the public sector

SupaWaste is designed from the ground up to meet the security, privacy, and compliance expectations of UK local authorities. Here's exactly how we protect your data and your residents' data.

Data protection

Your data — and your residents' data — is protected

SupaWaste processes two categories of data: operational data entered by local authority staff (streets, schedules, waste types), and lookup data generated when residents use the bin day widget (postcodes only — no personal data is stored).

We never sell data, share data with third parties for marketing purposes, or use resident lookup data for any purpose other than returning the correct collection schedule.

🏛️
Operational data
Street lists, collection schedules, and waste type configurations entered by your team. Scoped strictly to your authority — no other authority can access it.
📍
Resident lookup data
Postcodes entered into the resident widget. Not linked to any individual. No account created, no cookie set, no data retained beyond the lookup response.
👤
Staff account data
Name and work email address for portal login. Used only for authentication and audit trail purposes.
📋
Audit trail data
A record of every action taken within the portal — who changed what, and when. Retained for compliance and cannot be deleted by users.
GDPR

GDPR compliance

SupaWaste is designed to support your authority's GDPR obligations. We act as a data processor on your behalf — your authority remains the data controller for any personal data processed through the platform.

Lawful basis: Processing of staff account data is carried out under the lawful basis of legitimate interests (providing the contracted service). No special category data is collected or processed at any point.

  • Data processing agreement (DPA) available on request — reviewed and signed before go-live
  • No personal data collected from residents via the bin day widget
  • Staff personal data limited to name and work email — minimum necessary
  • Data subject access requests (DSARs) can be fulfilled on request
  • Right to erasure supported for staff accounts
  • Data retention periods documented and enforced
  • Sub-processors listed and kept current — available on request
Infrastructure

Infrastructure & hosting

SupaWaste is hosted on modern, enterprise-grade cloud infrastructure. All services are operated within the United Kingdom or European Economic Area.

  • Hosted on Supabase (PostgreSQL) and Vercel — both provide SOC 2 Type II certified infrastructure
  • All data in transit encrypted with TLS 1.2 or higher
  • All data at rest encrypted using AES-256
  • Database backups taken daily with point-in-time recovery
  • Platform uptime target: 99.9% — monitored continuously
  • Zero-downtime deployments via preview environment pipeline
Access controls

Access controls & data isolation

SupaWaste enforces strict data isolation between authorities. Access controls are enforced at the database layer using row-level security — not just at the application layer. This means a misconfiguration in application code cannot expose one authority's data to another.

  • Row-level security (RLS) enforced on all authority-scoped tables
  • Role-based access: waste manager, comms, and read-only roles available
  • Every portal action is written to an immutable audit log
  • Staff accounts can be deactivated immediately by your administrator
  • SupaWaste support staff can access accounts only with explicit permission, on a time-limited basis, with a full audit trail
  • SAML / SSO integration available on Enterprise plans
Data residency

Data residency

All SupaWaste data is stored and processed within the United Kingdom or the European Economic Area. No data is transferred to or processed in the United States or any country without an adequacy decision under UK GDPR.

Sub-processors: We use a small number of sub-processors (including Supabase, Vercel, and Resend) to deliver the service. A full sub-processor list is available on request and will be provided as part of the DPA process.

Incident response

Incident response

In the event of a security incident or data breach, SupaWaste will notify affected authorities without undue delay and in any case within 72 hours of becoming aware — in line with UK GDPR Article 33 obligations.

  • Dedicated security contact: security@supawaste.com
  • Incident response plan maintained and reviewed regularly
  • Notification to affected authorities within 72 hours of confirmed breach
  • Full incident report provided following investigation
  • Support provided for any required ICO notifications
Data processing

Data processing agreement

A Data Processing Agreement (DPA) is available for all paying customers and is reviewed and executed before any live data is processed. The DPA covers the nature and purpose of processing, data subject rights, sub-processor obligations, and breach notification procedures.

To request a copy of the DPA, contact us at dpa@supawaste.com.

Have a security or compliance question?

Our team is happy to answer questions from procurement, IG leads, or legal teams. We can also arrange a security review call ahead of any procurement decision.

Email our security teamBook a demo