Enterprise Security for Small Business Budgets

Transparent security practices from infrastructure to application. GDPR/CCPA compliant, multi-tenant isolated, encryption at rest and in transit.

Review Our Security Practices

Verified Security & Compliance

Our security foundation

Heroku

Hosted on Heroku platform (Salesforce company)

AWS

Infrastructure powered by AWS

GDPR

Privacy Policy compliant (user rights implemented)

CCPA

California privacy rights compliant

Iubenda

Certified privacy policy generation

What We Don't Claim (Honesty in Security)

SOC 2 Certified

Not yet - on roadmap based on enterprise customer demand. We inherit SOC 2 certified infrastructure (Heroku/AWS) but do not have our own organizational audit.

ISO 27001 Organizational Certification

We inherit data center certification from Heroku/AWS, but do not have our own organizational ISO 27001 certification.

Penetration Tested

Not yet - professional third-party penetration testing planned for 2026.

Why This Transparency?

Many competitors claim "enterprise-grade security" without specifics. We believe transparency builds trust more than vague claims. We're honest about what we have today and what's coming next.

Built on Enterprise Infrastructure (Heroku/AWS)

Our infrastructure leverages enterprise-grade security through Heroku (Salesforce) and AWS

Infrastructure Certifications

  • Hosting: Heroku platform (Salesforce company)
  • Data Centers: ISO 27001 certified (inherited certification from Heroku infrastructure)
  • Physical Security: AWS compliance standards (SOC 2, ISO 27001 for data centers)
  • Geographic Redundancy: AWS multi-AZ deployment for high availability

Encryption & Protection

  • Encryption at Rest: PostgreSQL with AES-256
  • Encryption in Transit: TLS 1.3 for all connections
  • DDoS Protection: AWS network firewalls and CloudFront

Important: We inherit infrastructure certifications from Heroku/AWS. We do not claim organizational ISO 27001 or SOC 2 certification (those are on our roadmap based on enterprise demand).

Learn More: Heroku Security | AWS Compliance

Application Security Practices

Our application implements industry-standard security controls

1. Multi-Tenant Data Isolation

  • What it means for you: Your organization's data is completely separated from other customers
  • How we ensure it: Every data access is automatically filtered to your organization and workspace
  • Why it matters: No risk of seeing another company's assets or maintenance data
  • Continuous verification: Automated security tests validate isolation on every code change

2. Role-Based Access Control

  • Flexible permissions: Assign team members as Admins (full access) or Members (restricted permissions)
  • Two-tier control: Manage permissions at organization level and individual workspace level
  • Automatic enforcement: Permissions are checked on every action to prevent unauthorized access
  • Tested security: Comprehensive automated tests ensure permission rules work correctly

3. Authentication

  • Industry-standard authentication: Secure login system used by thousands of applications
  • Google OAuth2 option: Sign in with Google for passwordless convenience
  • Secure password storage: Passwords are encrypted with industry best-practice hashing (never stored in plain text)
  • Automatic logout: Sessions expire after inactivity to protect your account

4. Protection Against Common Vulnerabilities

  • CSRF Protection: Protects against unauthorized form submissions from malicious websites
  • SQL Injection Prevention: Database queries are automatically sanitized to prevent malicious code
  • XSS Prevention: User input is automatically cleaned to prevent malicious scripts
  • Content Security Policy: Browser security rules prevent unauthorized script execution

5. Session Security

  • Secure cookies: Your session data is protected from JavaScript access and transmitted securely
  • Automatic timeout: Sessions expire after inactivity to protect your account if you forget to log out
  • Encrypted configuration: Sensitive application settings are encrypted and never exposed in code

6. Automated Security Scanning

  • Code security scanning: Automated analysis checks every code change for potential vulnerabilities before deployment
  • Dependency monitoring: Continuous scanning of third-party libraries for known security issues
  • Continuous validation: Security checks run automatically on every update to catch issues early

Privacy Regulations Compliance

We implement privacy by design

GDPR Compliant

European General Data Protection Regulation

  • Privacy Policy: Comprehensive privacy policy published and regularly updated (Iubenda certified)
  • User Rights: You can access, delete, export, and correct your data anytime
  • Legal Processing: We process data to provide our service (contract performance) and with your consent
  • Data Protection: Enterprise-grade security practices protect your personal information

CCPA Compliant

California Consumer Privacy Act

  • Privacy rights for California residents: Access, deletion, opt-out
  • Privacy Policy covers CCPA requirements
  • Data export available anytime (no vendor lock-in)

Cookie Policy

  • Transparent cookie disclosure (Iubenda)
  • Essential cookies only (authentication, session management)
  • No third-party tracking cookies

Data Retention

  • Free plan: 30 days activity history
  • Premium plan: 5 Years activity history

Data Export & Portability

  • CSV export anytime (Assets, Maintenance Tasks, Activity Logs)
  • No vendor lock-in - take your data with you
  • API coming in 2026 for programmatic access

Planned Security Enhancements

We are planning the following security features (timelines are estimates, subject to change based on customer demand)

Two-Factor Authentication (2FA)

On roadmap (2026)

  • Industry-standard implementation approach
  • SMS and authenticator app (Google Authenticator, Authy) options

SOC 2 Type I Certification

On roadmap (dependent on enterprise customer demand)

  • 6-9 month certification process
  • Professional third-party audit
  • Note: This is a plan, not a commitment. Timing depends on enterprise market demand and business priorities.

Penetration Testing

Planned for 2026

  • Professional third-party pentest
  • Vulnerability remediation and public report summary

Enhanced Audit Logs

Planned for 2026

  • Expand activity tracking to more data types (currently Asset-only)
  • Comprehensive audit trail for all changes

SSO (SAML)

Planned for future release

  • Enterprise single sign-on for large organizations
  • Integrations with Okta, Azure AD, Google Workspace

Important Disclaimers

  • Roadmap items are subject to change based on customer needs and business priorities
  • Timelines are estimates, not guarantees
  • SOC 2 certification is contingent on enterprise market demand (feedback welcome: [email protected])

Security Vulnerability Reporting

We welcome responsible security research

How to Report

  • Security Contact: [email protected]
  • Response Timeline: 48-hour acknowledgment, 30-day resolution target (realistic commitment)
  • Scope: Application security, infrastructure concerns, data privacy issues
  • Recognition: Security researcher hall of fame (planned for future)
  • Request: Please do not publicly disclose vulnerabilities before we've had time to address them

What to Report

In Scope:

  • SQL injection, XSS, CSRF vulnerabilities
  • Authentication bypass or privilege escalation
  • Multi-tenant data leakage
  • Insecure direct object references

Out of Scope:

  • Social engineering attacks
  • Physical security of our offices (we're remote)
  • Third-party vulnerabilities (Heroku, AWS - report to them directly)

Why This Matters: We're committed to security-conscious culture. Your responsible disclosure helps us protect all customers.

Security FAQs

Q: Do you have SOC 2 certification?

A: Not yet. SOC 2 Type I certification is on our roadmap, dependent on enterprise customer demand. We currently leverage SOC 2 certified infrastructure (Heroku, AWS) but do not have our own organizational SOC 2 audit. If SOC 2 is critical for your organization, email [email protected] to express interest (demand helps us prioritize).

Q: How is my data isolated from other users?

A: Your organization's data is completely separated from other customers through secure multi-tenant architecture. Every data access is automatically filtered to only show your organization's information - there's no way to accidentally see or access another company's assets, maintenance records, or team data. This isolation is enforced at the database level and validated with comprehensive automated security tests on every code change.

Q: Can I export my data anytime?

A: Yes. CSV export available for Assets, Maintenance Tasks, and Activity Logs (no vendor lock-in). Export from Dashboard → Export or Assets/Maintenance list views. API coming Q2 2026 for programmatic access.

Q: Where is my data stored?

A: AWS data centers via Heroku infrastructure. Geographic region: US East (Virginia) by default. AWS data centers are ISO 27001 certified and SOC 2 compliant. Multi-AZ redundancy for high availability.

Q: Do you support 2FA?

A: Not yet. Two-Factor Authentication is on our roadmap for 2026. Currently, we support Google OAuth2 (passwordless authentication) as a secure alternative to traditional passwords. If 2FA is critical, email [email protected] to express interest.