Overview
New Rebellion Pty Ltd (ABN 19 688 435 985) operates Hub, a marketing co-pilot used by businesses to score and improve their marketing performance. Hub holds business-sensitive data: analytics pulls, advertising performance, customer lists at aggregate level and marketing plans. Protecting that data is core to how the product is built.
This page sets out how we secure that data, who else processes it on our behalf, where it lives and what we are working towards. It is updated when material changes happen.
Security Controls in Place Today
Encryption
/All traffic to and from Hub is encrypted in transit using TLS 1.2 or higher
/OAuth refresh tokens and third-party API keys (Klaviyo, Microsoft Advertising, Meta, TikTok, Google) are encrypted at rest using AES-256-GCM with a dedicated key. Plain-text keys are never written to the database
/Databases and storage volumes are encrypted at rest by our underlying providers
Authentication
/Hub uses passwordless authentication via magic link. We do not store user passwords, which removes a common class of breach risk
/Authenticated sessions are tracked via HTTP-only, Secure, SameSite cookies backed by signed JWTs
/Administrative access is gated by a separate admin flag on the user record and verified server-side on every request
Database and access controls
/Primary data is stored in Supabase Postgres with row-level security enabled on customer tables. Application code accesses data using service credentials with the principle of least privilege
/Direct database access is restricted to a small set of authorised operators. Production credentials are rotated when an operator leaves
/Database changes ship as versioned migrations checked into source control
Application and network protection
/Cloudflare sits in front of every request: DNS, CDN, WAF, Bot Fight Mode and Page Shield
/A custom WAF ruleset blocks common probing patterns (WordPress paths, .env exposure, phpmyadmin, .php requests) at the edge before they reach our application
/Edge middleware blocks empty user agents, known scraper user agents and POST requests without correct content type on sensitive endpoints
/Cloudflare Turnstile provides invisible bot verification on session and report endpoints
/Rate limiting is enforced server-side via sliding-window counters in Upstash Redis
/Hub API POST endpoints are restricted at the WAF to traffic from Australia and New Zealand. Public pages and shared report links remain available globally
/Incoming third-party webhooks (currently Stripe, when enabled) are verified using HMAC signature checks with replay protection via idempotency keys
Logging and monitoring
/Server logs are retained by our hosting provider and reviewed for anomalous patterns
/Blocked bot and abuse signals are counted by reason and date in Redis with a 90-day retention
/Product usage events are written to a dedicated table for support and reliability monitoring
Software supply chain
/Dependencies are managed via npm with lockfiles. Updates are reviewed before merge
/Secrets are stored in our hosting provider's encrypted environment variable store. They are never checked into source control
Data Residency
We are upfront about where your data lives.
/Primary database: Supabase Postgres in AWS region ap-south-1 (Mumbai, India)
/Application hosting: Vercel global edge network with compute primarily in the United States and the European Union
/Cache and rate limiting: Upstash Redis, multi-region with primary regions in the United States
/AI processing: Anthropic in the United States
/Edge protection and DNS: Cloudflare global edge
Australian residency for the primary database is on our infrastructure roadmap. We will give customers reasonable notice before a residency change that materially affects where customer data is held.
Sub-Processors
The list below covers every third-party service that processes customer data on our behalf today. Each is bound by contractual terms with the provider and we review them periodically.
Provider
Purpose
Data
Region
Supabase
Primary database, authentication, row-level security
Accounts, business profiles, reports, plan actions, events
AWS ap-south-1 (Mumbai, India)
Vercel
Application hosting and edge compute
Server logs, request metadata
Global edge (United States, European Union primary)
Cloudflare
DNS, CDN, WAF, bot protection, Turnstile
Network traffic, IP addresses, user agents
Global edge
Upstash
Redis cache for reports, sessions and rate limits
Cached report payloads, session keys, abuse counters
Multi-region (United States primary)
Anthropic
AI processing via the Claude API
Audit data and prompts submitted for report generation
United States
Resend
Transactional email delivery
Email addresses, magic links, report notifications
United States
Notion
Internal CRM record-keeping for company, report and contact data
Company name, scores, contact email, interaction history
United States
Calendly
Call bookings
Name, email, booking time
United States
Google APIs
OAuth and read-only data pull (Analytics, Search Console, Ads, Tag Manager)
Per integration scope, read-only
United States
Meta APIs
OAuth and read-only Page and ad insights
Page and ad performance data, read-only
United States
TikTok APIs
OAuth and read-only Marketing API
Advertising performance data, read-only
United States, Singapore
Microsoft APIs
OAuth and read-only Microsoft Advertising
Advertising performance data, read-only
United States
Klaviyo
Private API key, read-only email and SMS metrics
Campaign and flow performance, list and subscriber counts, read-only
United States
We will give reasonable notice before adding or replacing a sub-processor that handles customer data. Stripe will be added to this list before any self-serve subscription billing goes live.
AI Processing
Hub uses the Anthropic Claude API to generate scored assessments, narratives and recommendations. Two commitments apply:
/Anthropic does not use API inputs or outputs to train its models. Their published policy is at
anthropic.com/policies /We never use your business data to train any AI model ourselves. Aggregated, non-identifying patterns may be used to improve internal logic, but raw inputs are not repurposed
Any new AI provider we add to the stack will be reviewed against the same standard and disclosed in this page.
Incident Response
/We monitor security signals on an ongoing basis. Where an incident is suspected, we triage it against severity, scope and customer impact
/In the case of an eligible data breach, we will notify the Office of the Australian Information Commissioner and affected customers in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). We aim to notify affected customers within 72 hours of confirming an incident
/Post-incident, we write a blameless review documenting cause, impact and remediation. Material learnings drive control updates
Compliance Roadmap
We are an Australian company and our default compliance baseline is the Privacy Act 1988 (Cth) and the Australian Consumer Law. We are actively working towards additional external assurance.
/SOC 2 Type II: in progress. We are aligning our controls and documentation to the AICPA Trust Services Criteria and intend to engage an external auditor once internal readiness is complete
/Australian data residency: under evaluation. The current architecture supports a regional database move with minimal customer disruption
/Penetration testing: we plan to engage an external firm for a first independent test alongside the SOC 2 work
/Single sign-on (SAML, OIDC): under consideration for business customers
We publish updates on this roadmap as milestones are reached. We do not commit to dates in legal documents.
Customer Responsibilities
Security is a shared responsibility. You are responsible for:
/Keeping access to the email address linked to your Hub account secure (it is the gateway to the magic link sign in)
/Disconnecting integrations when an employee leaves or no longer needs access
/Making sure you have authority to connect any third-party account
/Telling us promptly if you suspect unauthorised access to your account
Data Processing Addendum
A Data Processing Addendum is available on request for customers who require one. It covers the topics expected by procurement teams: sub-processor commitments, breach notification, data subject rights, international transfer safeguards and audit rights.
Reporting a Vulnerability
If you believe you have found a security issue affecting Hub or new-rebellion.com, please email filip@newrebellion.network with the subject line "Security disclosure" and as much detail as you can share. We will acknowledge within two business days and keep you updated as we investigate.
Please do not test against production accounts other than your own and avoid actions that could disrupt service for other customers.
Talk to Us
If you are a procurement or security reviewer working through a vendor assessment, send us your questionnaire or your specific questions and we will respond promptly.