Procurement Pack

Everything your procurement officer, legal team, or board of directors needs to evaluate Socianote. All documents are available online — no email required, no gatekeeping. If you need something that isn't here, reach out and we'll provide it within one business day.

Available documents

Click any document to read it in full. All are publicly accessible — we believe transparency builds trust faster than NDAs.

Data Processing Agreement (DPA)

Template DPA defining Better Future Holdings Pte Ltd as the Processor and your agency as the Controller. Covers subprocessors, data transfers, breach notification, and deletion.

Read DPA

What data we collect, how we use it, who can access it, and your rights. Designed to PDPA and GDPR principles. Section 4.1 discloses staff access terms.

Read Privacy Policy

Acceptance, permitted use, data ownership, limitations, and termination terms. Plain language, no surprises.

Read Terms

Subprocessors List

Every vendor that handles your data: Supabase (database, Singapore), Vercel (hosting, US edge), Resend (transactional email). Updated in real-time.

View Subprocessors

Security Overview

Encryption at rest (AES-256) and in transit (TLS 1.3). Row-level security per tenant. Audit logging on every write. JWT-verified authentication.

Read Details

Compliance & certification status

An honest summary of where we stand today. Green items are live and verifiable. Amber items are on our roadmap with realistic timelines. We will never claim a certification we don't have.

PDPA compliance (Singapore)

Available now

Privacy Policy, DPA, subprocessor disclosure, right-to-erasure (hard-delete), consent management, and audit logging are live.

GDPR principles

Available now

Data minimisation, purpose limitation, storage limitation, right to access + erasure, data portability (JSON export). Full EU-residency option planned for first EU customer.

Multi-tenant data isolation

Available now

PostgreSQL row-level security (RLS) enforces per-organisation boundaries on every query. No org can read another org's data even via API.

Audit trail

Available now

Every create, update, and delete is logged with actor, timestamp, and field-level diff. Hard-deleted PII is redacted from audit entries. Admins can export audit logs.

Role-based access control (RBAC)

Available now

Four roles: Admin, Supervisor, Case Manager, Viewer. Enforced in both UI and database (RLS). Financial data restricted to Supervisor+.

Right to erasure

Available now

Admins can permanently delete a participant's data via the Privacy Center. PII is stripped from audit logs, notifications, and all related records. Verified via automated regression tests.

SOC 2 Type II

Planned

Not yet certified. Our infrastructure runs on SOC 2 certified providers (Supabase, AWS, Vercel). We plan to pursue SOC 2 Type II after reaching product-market fit. Timeline: 2027.

ISO 27001

Planned

Not yet certified. Planned alongside SOC 2. Timeline: 2027-2028.

Penetration test report

Planned

Automated security scanning is in place (Supabase built-in + dependency audit). Formal third-party pen test planned for Q4 2026.

Cyber insurance

Planned

Under evaluation. Expected to be in place before first enterprise customer.

EU data residency

Planned

Available on request for enterprise customers. Supabase supports EU-West region. Timeline: on demand, not speculative.

About the company

Legal entity

Better Future Holdings Pte Ltd

Incorporated in Singapore

Product

Socianote

Case management SaaS for social service agencies

Data hosting region

Singapore (ap-southeast-1)

Supabase on AWS. EU-West available on enterprise request.

Security contact

security@socianote.com

Vulnerabilities, custom DPA, compliance questions

Need something specific?

If your procurement process requires a document we haven't listed — a vendor security questionnaire, a specific DPA format, insurance certificates, or a signed letter from our founder — email us. We'll turn it around within one business day.