Security

Security you don't have to think about

What we do today, what's coming next, and where the data lives. Honest, specific, no buzzword bingo.

Data protection

Every byte you put into SalesThumb is encrypted in flight and at rest.

LiveTLS 1.2+ enforced on every connection — HTTP traffic is automatically upgraded.
LiveDatabase encryption at rest (Neon managed Postgres on AWS).
LiveFile storage encrypted at rest on Cloudflare R2 (AES-256).
LiveSigned-URL access for every photo, warranty PDF, and document — no public buckets.
RoadmapCustomer-managed encryption keys (BYOK) for Enterprise.

Tenant isolation

Shops can't see each other's data. Period.

LiveEvery tenant-owned row carries a shopId or orgId; every query filters by it.
LiveServer-side guard at the procedure layer — never relying on the client to scope.
LiveSubdomain routing per shop — no cross-tenant cookie reuse.
LiveHQ org admins access child shop data only through audited org-membership checks.
RoadmapPer-tenant row-level security policies in Postgres for defense-in-depth.

Authentication & access

Strong defaults, role-based controls, and SSO when you need it.

LiveEmail + password with bcrypt hashing (Better-Auth).
LiveMagic-link login as a phishing-resistant alternative.
LiveRole-based access: Owner, Admin, Tech, Sales, Viewer per shop.
LiveSession revocation from settings — log out a device anywhere.
RoadmapTOTP + WebAuthn (passkey) two-factor enforcement per shop.
RoadmapSAML / OIDC single sign-on for Enterprise.

Application security

Boring fundamentals done right.

LiveTypeScript end-to-end + Zod input validation on every API procedure.
LiveDrizzle ORM uses parameterized queries — no string-concat SQL anywhere.
LiveCSRF protection on cookie-authed routes; same-site session cookies.
LiveStripe webhook signature verification on every event.
LiveTwilio webhook signature verification on every inbound SMS / call status.
RoadmapAnnual third-party penetration test.

Infrastructure

Modern, audited platform partners do the heavy lifting.

LiveApp tier on Vercel — SOC 2 Type II certified, SSAE 18, HIPAA BAA available.
LiveDatabase on Neon — SOC 2 Type II, point-in-time recovery, daily backups.
LiveFile storage on Cloudflare R2 — SOC 2 Type II, ISO 27001.
LiveEmail on Resend — SPF, DKIM, DMARC enforced.
LiveAll vendors require MFA for our internal admin access.

Operations & response

What happens when something goes wrong.

LiveAutomated daily database backups with 7-day point-in-time recovery.
LiveAudit log per shop — every settings change, role change, and sensitive action recorded.
LivePublic status page at status.salesthumb.com.
LiveSecurity incident notification within 72 hours of confirmed impact.
RoadmapPublished RTO / RPO targets and disaster recovery drills.

Compliance & certifications

Where we are today; we'll publish artifacts as audits land.

SOC 2 Type I

In progress

Audit kicked off; expected attestation Q4 2026.

SOC 2 Type II

Roadmap

Follows the Type I attestation by ~12 months.

GDPR (Data Processing Addendum)

Available

Email info@roffik.com to receive a signed DPA.

PCI compliance

Inherited

Card data flows directly to Stripe; we never touch a PAN. SAQ A scope.

TCPA opt-out

Enforced

STOP / START keywords are honored automatically; opt-outs persist across channels.

Found a vulnerability?

Responsible disclosure is welcomed and credited. Email info@roffik.com with reproduction steps and we'll acknowledge within 24 hours.

Common questions

Where is my data stored?+

Application data lives in a managed Postgres instance on Neon (AWS us-east-1 by default). Files (photos, PDFs, certificates) live on Cloudflare R2 with global edge distribution. Both providers carry SOC 2 Type II attestations.

Can SalesThumb employees see my data?+

Direct database access is restricted to a small list of named operators on call for incidents, all of whom have MFA enforced. Routine support happens through impersonation tokens that are scoped, time-bound, and recorded in the per-shop audit log. We don't browse customer data for any reason except a documented support request.

What happens if I cancel my subscription?+

Your data stays exactly where it is for 60 days, accessible via export. After 60 days of cancelled status it's deleted from the live database; backups follow the standard 7-day retention. Email info@roffik.com to request immediate erasure.

Do you store credit card numbers?+

No. Card details are tokenized by Stripe at entry and never reach our servers. We hold a Stripe customer ID and the last four digits of the most recent card — that's it. This keeps SalesThumb in PCI SAQ A scope.

How do I report a security issue?+

Email info@roffik.com with a description of the issue and steps to reproduce. We acknowledge within 24 hours and aim to resolve high-severity issues within 7 days. We don't have a paid bug bounty yet but will publicly credit responsible disclosures.