Security at Trimly

Last updated: March 2026

Summary: Trimly is built on Supabase, hosted on Cloudflare and Vercel infrastructure, and uses industry-standard encryption throughout. Your business data is isolated per tenant, encrypted in transit and at rest, and never sold or shared with third parties.

Security overview

Trimly is a multi-tenant SaaS platform used by salon and spa businesses across East Africa. We take the security of your business data, staff records, and client information seriously. This page describes our security architecture, practices, and how to contact us if you discover a potential vulnerability.

Trimly is developed and maintained by Truthy Systems (truthysystems.com), a software studio based in Uganda.

Infrastructure & hosting

Trimly's backend database and authentication are hosted on Supabase, which runs on AWS infrastructure. All Supabase projects are deployed in isolated environments with SOC 2 Type II-compliant infrastructure.

The Trimly admin web application is hosted on Vercel, a platform with enterprise-grade security controls including DDoS mitigation, automatic HTTPS, and global edge infrastructure.

Static assets and file storage are served via Cloudflare R2 and Cloudflare's global CDN, which provides additional DDoS protection and TLS termination at the edge.

  • All infrastructure components use HTTPS/TLS 1.2 or later for all connections
  • No unencrypted HTTP traffic is permitted anywhere in the stack
  • Database connections require SSL and use certificate validation
  • Infrastructure is monitored with automated alerting for anomalous activity

Data encryption

In transit

All data transmitted between your browser, the Trimly admin application, and our backend services is encrypted using TLS 1.2 or TLS 1.3. This includes all API calls, authentication tokens, and data sync operations from the Flutter POS app.

At rest

All data stored in Supabase (PostgreSQL) is encrypted at rest using AES-256 encryption, managed by AWS. Supabase handles key management through AWS Key Management Service (KMS).

Sensitive credentials

Device provisioning credentials stored on POS terminals are encrypted using platform-native secure storage mechanisms — Android's Keystore system and Windows' DPAPI — via Flutter's flutter_secure_storage package. Credentials are never stored in plaintext on-device.

User passwords are hashed by Supabase Auth using bcrypt. Trimly never has access to plaintext passwords.

Authentication & access

Admin dashboard

Authentication for the Trimly admin portal is handled by Supabase Auth, which implements the OAuth 2.0 / OpenID Connect standard. Sessions are managed via HTTP-only secure cookies. All session tokens are short-lived and automatically refreshed.

Password reset flows use secure email-based one-time tokens that expire after 1 hour and are single-use. Trimly does not send passwords in plaintext via any channel.

Role-based access control

Every user account within a business is assigned a role (Owner, Manager, Receptionist, Viewer). Role permissions control which pages and data each user can access. Permissions are enforced at the API level on every request — not just in the UI.

POS device authentication

Flutter POS devices are provisioned using single-use, time-limited pairing codes (valid for 24 hours). Once provisioned, each device receives a unique set of credentials scoped to the specific business and branch. Staff authenticate on-device using a 4-digit PIN, which is stored as a hashed value and never transmitted in plaintext.

Tenant data isolation

Trimly is a multi-tenant platform. Each business's data is logically isolated using Supabase Row Level Security (RLS). Every database table that contains business data has RLS policies that restrict reads and writes to rows belonging to the authenticated business only.

These policies are enforced at the database level by PostgreSQL — not in application code. This means that even if application-level code had a bug, the database would still prevent cross-tenant data access.

Subdomain-based tenant routing (e.g. yourbusiness.trimlyos.com) includes a cross-tenant security check in the middleware layer: a session from Business A cannot access Business B's subdomain, even if the URL is known.

Offline & device security

The Trimly POS app uses PowerSync to maintain a local SQLite database on the device for offline operation. This local database is stored in the app's private data directory, inaccessible to other apps on the device.

When internet connectivity is restored, the local database syncs with Supabase over an encrypted TLS connection. Conflict resolution is handled deterministically by the PowerSync engine.

If a device is lost or stolen, it can be decommissioned from the Trimly admin portal. This revokes the device's credentials on the next sync attempt and prevents further data access.

Employee access to customer data

Truthy Systems employees and contractors do not have routine access to customer business data. Access to production database environments is restricted to a small number of authorised engineers and requires multi-factor authentication.

When access to customer data is required for support purposes, it is logged, requires explicit business owner authorisation where practicable, and is limited to the minimum necessary to resolve the issue. We do not sell or share customer data with any third party for advertising, analytics, or any other purpose.

Incident response

In the event of a security incident affecting customer data, Truthy Systems will:

  • Investigate and contain the incident as rapidly as possible
  • Notify affected customers within 72 hours of confirmation of a breach
  • Provide clear information about what data was affected and what steps have been taken
  • Cooperate fully with any regulatory obligations applicable in Uganda and East Africa

We maintain incident response procedures and conduct periodic reviews of our security posture to identify and address potential vulnerabilities proactively.

Responsible disclosure

If you discover a potential security vulnerability in Trimly, we ask that you disclose it to us responsibly before making it public. We commit to:

  • Acknowledging your report within 2 business days
  • Keeping you informed of our progress in addressing the issue
  • Not taking legal action against researchers acting in good faith
  • Crediting your discovery (with your permission) once the issue is resolved

Please do not attempt to access, modify, or delete data belonging to other users as part of your research. Limit testing to accounts and data you own.

Security contact

To report a security vulnerability or ask questions about our security practices, please contact us at:

Email: security@trimlyos.com
General enquiries: hello@trimlyos.com
Truthy Systems: truthysystems.com

For non-security support requests, please use the general contact email or start a conversation via the chat on the Trimly website.