Ekosistem App
Security Center

Supply Chain Risk Management Plan

How Ekosistem App manages risk in its third-party dependencies, services and infrastructure.

Last updated: May 2026

Purpose & Scope

This plan covers the open-source packages, hosted services and operational tooling Ekosistem App depends on. It defines selection criteria, monitoring and what happens if a dependency becomes a risk.

Critical Suppliers

The following services and components are load-bearing for Ekosistem App:

  • Railway — runtime hosting for the Hono API and Socket.io server.
  • Vercel — runtime hosting for the Next.js web application.
  • Supabase (PostgreSQL) — primary persistent store with TLS and RLS.
  • Upstash Redis — rate limiting, caches, JWT blacklist and ephemeral state.
  • Cloudflare R2 — private object storage for user-uploaded media via signed URLs.
  • AWS SES — transactional and marketing email; OpenAI and Anthropic — moderation and AI assistant; LiveKit — video and voice rooms.

Selection & Monitoring

Suppliers are selected and monitored against the following criteria:

  • Demonstrable security posture (public security pages, SOC 2 / ISO 27001 where applicable).
  • Mature operations: documented incident process, status page and contact path for security disclosures.
  • Compliant data handling — providers processing personal data are bound by Data Processing Agreements where required by GDPR.
  • Open-source packages are pnpm-locked and reviewed for unmaintained, abandoned or typosquatted entries.
  • Provider status pages and security mailing lists are monitored for material events.

Replacement & Exit Plan

When a supplier becomes a risk or is no longer fit for purpose, replacement is planned as follows:

  • Engineering identifies a replacement that meets the selection criteria above.
  • Migration paths exist for hosting, persistence and email — none are intentionally locked-in beyond standard managed-service portability.
  • Migration timelines are tracked publicly on the changelog when material to users.
  • Where a Data Processing Agreement is in force, termination obligations include secure deletion of customer data.

Review & Contact

The supplier list and dependency lockfile are reviewed quarterly and after any major architectural change. Concerns can be sent to developer@plademy.com.

Developer and Operator
Plademy Oy
Maria 01, Lapinlahdenkatu 16, 00180 Helsinki, Finland
Business-ID: 3386328-3
Other policies
Security Policy
Log Management Policy
OWASP Top 10 Compliance
Incident Management And Response Policy
Recovery Operations Policy
Vulnerability Management Policy
Data Retention And Protection Policy
Infrastructure And Dependency Management Policy
Ekosistem App — Community operating system