Security

How we protect
your data.

Straight answers about what we do, what we don't do yet, and what we'll tell you if you ask.

We are not independently certified — yet.

We do not hold SOC 2, ISO 27001, HIPAA or PCI-DSS certification, and we don't offer a contractual uptime SLA. Plenty of companies our size put those badges on the page anyway. We won't. If your procurement process requires a certification we don't have, tell us — we'll say so honestly rather than waste your time.

What we can do is walk you through exactly how the system is built, where your data lives, and who can reach it. Ask us anything.

What we actually do

The controls that are real.

Encryption

Your data is encrypted in transit over HTTPS/TLS, and encrypted at rest by our cloud database provider.

  • TLS for all traffic
  • Encryption at rest
  • No data sold or shared

Access control

Every user gets a role. People see the records their role allows and nothing more. Admins control who can view, edit and approve.

  • Role-based permissions
  • Per-user accounts
  • Admin-managed roles

Audit logs

Key actions in the system are recorded with who did what and when, so you can trace any change back to a person.

  • Action history
  • Attributed to a user
  • Exportable on request

Your data stays yours

Your business data belongs to you. We don't sell it, and we don't train public models on it. Ask us for an export at any time and we'll give you one.

  • Export on request
  • Deletion on request
  • No resale of your data

Found a vulnerability?

Email us and we'll look at it. We don't have a bug bounty programme, but we will always credit you and fix what you find.

▶ Live DemoBook Demo →