Security & Trust
Your data security is our top priority. We implement enterprise-grade security measures to protect your business information.
Encryption
All data encrypted at rest and in transit using industry-standard protocols
Multi-Tenant Isolation
Row-Level Security ensures complete data separation between companies
Enterprise Infrastructure
Built on Supabase, an enterprise-grade platform trusted by thousands
Row-Level Security (RLS)
Database-level security policies ensure complete data isolation. Your data is physically separated from other customers at the database level.
- Every query automatically filters by companyId
- Policies enforced at the PostgreSQL level
- Zero-trust architecture from database to UI
- Type-safe Prisma queries prevent data leaks
-- PostgreSQL RLS Policy Example CREATE POLICY company_isolation ON appointments FOR ALL USING ( company_id = current_setting( 'app.current_company_id' )::uuid );
Encryption Standards
Data at Rest
AES-256 encryption for all stored data. Database backups encrypted with industry-standard algorithms.
Data in Transit
TLS 1.3 for all connections. End-to-end encryption for sensitive operations. Certificate pinning for mobile applications.
Key Management
Encryption keys managed by Supabase infrastructure. Keys rotated regularly and stored in secure key management systems.
Encryption
All data is encrypted using industry-standard protocols. Your information is protected both at rest and in transit.
Infrastructure & Compliance
Infrastructure
- Supabase enterprise-grade PostgreSQL hosting
- 99.9% uptime SLA
- Automated backups with point-in-time recovery
- Geographic redundancy and disaster recovery
Security Practices
- Regular security audits and penetration testing
- Vulnerability scanning and patch management
- Security incident response procedures
- Employee security training and access controls
Access Controls
Multi-factor authentication, role-based access control, and comprehensive audit logging ensure only authorized users can access your data.
Authentication & Authorization
Multi-Factor Authentication
Optional MFA for additional account security. Support for TOTP authenticator apps.
Role-Based Access Control
Granular permissions system. Control who can view, edit, or delete specific data within your organization.
Session Management
Secure session tokens with automatic expiration. Device fingerprinting for suspicious activity detection.
Audit Logging
Complete audit trail of all data access and modifications. Track who did what and when for compliance and security.
Incident Response
We take security incidents seriously and have procedures in place to respond quickly and transparently.
Detection & Response
Automated monitoring and alerting systems detect potential security issues. Our team responds immediately to investigate and remediate any threats.
Notification
In the event of a security incident affecting your data, we will notify affected customers within 72 hours as required by applicable laws.
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly to:
[email protected]Our Security Practices
Database-Level Isolation
Every customer gets complete data isolation through PostgreSQL Row Level Security (RLS). This means your data is separated from other customers at the database level, not just the application level.
Every single database query automatically filters by your companyId. Even if our application code had a bug, the database would reject any attempt to access another company's data. This is enforced by PostgreSQL itself, not our application logic.
Encryption Standards
All data at rest uses AES-256 encryption. All data in transit uses TLS 1.3. We don't support older TLS versions because they have known vulnerabilities.
Database backups are encrypted before being stored. Encryption keys are managed by Supabase's infrastructure and rotated on a regular schedule. We never store encryption keys in the same location as the encrypted data.
Access Controls
We use role-based access control (RBAC) with granular permissions. Office managers can see everything. Dispatchers can assign jobs but not view financial data. Technicians can only see their assigned appointments.
Optional multi-factor authentication (MFA) adds an extra layer of security for admin accounts. We support TOTP authenticator apps like Google Authenticator or Authy.
Audit Logging
Every significant action is logged with a complete audit trail. We record who made the change, what was changed, when it happened, and what the values were before and after.
Audit logs are retained for 90 days on the standard plan. Enterprise customers can configure longer retention periods. Logs are immutable and cannot be deleted or modified.
Infrastructure Security
We run on Supabase, which provides enterprise-grade PostgreSQL hosting with automatic backups, point-in-time recovery, and geographic redundancy.
Our production servers are isolated from development and staging environments. No production data ever touches developer machines. We use separate database credentials for each environment with least-privilege access.
Vulnerability Management
We run automated dependency scanning on every code commit. Critical security patches are deployed within 24 hours of disclosure. Non-critical patches are bundled into our weekly Friday releases.
We conduct annual penetration testing with third-party security firms. Findings are remediated before the next release cycle.
Data Backup & Recovery
Automated backups run every 6 hours with point-in-time recovery available for the last 7 days. We test backup restoration procedures monthly.
In the event of data loss, we can restore your entire database to any point within the last 7 days. Recovery time objective (RTO) is less than 2 hours.
Employee Access
Only senior engineers have production database access, and only when debugging customer-reported issues. All production access is logged and reviewed monthly.
We never access customer data without explicit permission. Support requests that require viewing your data get a notification in advance.
Your Data is Safe
We've built security into every layer of our platform. Your business data is protected by enterprise-grade security measures.