Security & Trust

How Tellus protects your organisation's confidential ESG and people data.

Version 1.0 · Effective 20 June 2026 · Summary only — the binding commitments are in our Data Processing Agreement and Privacy Policy.

Tellus is operated by Joshua Rayan Communications (JRC). Companies use it to record confidential sustainability data — energy and emissions figures, financial inputs, the names and roles of their people, and supporting evidence. We treat that data as our customers' property and protect it with the controls below. This page is a plain-language summary; where it touches a legal obligation, the Data Processing Agreement governs.

Where your data lives

Your data's primary store is in Singapore. We use a small number of established sub-processors, each under a written data-protection contract:

Provider	Role	Location
Supabase (on AWS)	Database, authentication and evidence-file storage	Singapore — AWS `ap-southeast-1`
Cloudflare	Application hosting and content delivery	Global edge network
Resend	Transactional email (invitations, password resets, reminders) — email addresses and message content only	Tokyo, Japan

We notify client administrators in advance of any change to this list, giving you the opportunity to object on reasonable data-protection grounds.

Encryption

All traffic between your browser and Tellus is encrypted with TLS (HTTPS), enforced by a strict transport-security policy.
Your database and uploaded evidence files are encrypted at rest by our infrastructure provider.

Access control & tenant isolation

Role-based access, enforced on the server — each user only ever sees the clients and entities they are explicitly assigned to.
Logical segregation of every client's data, enforced at the database level (row-level security), so one customer can never reach another's data.
Least-privilege administrative access within JRC, limited to the people who need it to deliver the service.
Sessions automatically sign out after 30 minutes of inactivity.
Optional protection against the use of known-compromised passwords, and a minimum password strength.

Integrity & the assurance record

Append-only audit log — every change records who made it and when, supporting a defensible assurance trail.
Year-lock — once a reporting year is finalised and signed off, its figures are frozen and cannot be silently altered.
Evidence validation — uploaded files are checked for their true file type and rejected if they contain macros or active content, with a size limit per file.

Availability & recovery

Tellus runs on managed cloud infrastructure. The database is backed up daily with point-in-time recovery, and evidence files are held in managed, redundant object storage. We periodically test our ability to restore so that we can recover availability in the event of an incident.

If something goes wrong

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and within 72 hours, with the information you need to meet your own regulatory obligations under the Malaysian PDPA and, where applicable, the GDPR. Report a suspected security issue to tom@jr.com.my.

Your data is yours

We process your data only to provide the Tellus service on your instructions — never for our own purposes, and never to train models.
You can export your data (consolidated figures and a full calculation audit trail) at any time.
On termination, we will return or delete your data at your choice and, on request, certify the deletion in writing.
You may audit our compliance, as set out in the Data Processing Agreement.

What we don't yet claim

We're an early-stage product backed by a specialist consultancy, and we believe in being precise. We do not currently hold a formal certification such as SOC 2 or ISO 27001. The controls above are real and in force; we're happy to walk your IT or procurement team through them and to complete a security questionnaire on request.