Security

Your operations data deserves real security.

FieldNotch stores work orders, payroll records, employee data, and financials for subcontractor businesses. We treat that like the responsibility it is.

Encryption in transit
TLS 1.3
HTTPS enforced on every request. HSTS preloaded.
Encryption at rest
AES-256
Databases, file storage, and backups, all encrypted.
Tenant isolation
Postgres RLS
Row-level security blocks cross-tenant access even on app bugs.
SOC 2 Type II
In progress
Audit underway. Letter of engagement available on request.
How we protect your data

Eight pillars of FieldNotch security.

The controls behind the marketing words. Specific, current, and honest about what's in place versus what's on the roadmap.

Data encryption

Strong encryption everywhere data lives or moves.

  • TLS 1.3 for all traffic between your browser, our APIs, and mobile apps
  • AES-256 at rest for Postgres, file storage, and encrypted nightly backups
  • Encrypted secrets management — no API keys in source code
  • HSTS preloaded across all FieldNotch subdomains

Per-tenant isolation

Your business data is logically separated from every other customer.

  • PostgreSQL Row-Level Security policies on every tenant-scoped table
  • Every request scoped to org_id by the application layer AND the database layer
  • Defense in depth — even an application bug can't leak cross-tenant data
  • Per-tenant S3 prefixes for uploaded files; no shared keys

Authentication

Layered protection against unauthorized account access.

  • Passwords hashed with bcrypt (cost factor 12), never stored in plain text
  • Optional two-factor authentication via authenticator app
  • Google OAuth sign-in available on all plans
  • SAML SSO available on Enterprise; coming soon to Operator
  • Account lockout after repeated failed login attempts
  • Sessions expire automatically; revocable from your settings

Least-privilege access

Internal access to production is narrow and audited.

  • Engineers with production access are explicitly listed and reviewed quarterly
  • Mandatory MFA on all internal systems (GitHub, hosting console, secrets vault)
  • Production database access requires SSH bastion + named user
  • No shared accounts — every action is attributable to a person

Infrastructure

Hardened hosting on EU-based, ISO 27001 / SOC 2 compliant providers.

  • Compute hosted on Hetzner (ISO 27001 certified data centers)
  • Object storage on S3-compatible providers with versioning enabled
  • Cloudflare in front of every endpoint — DDoS mitigation, WAF rules, bot protection
  • Network isolation: app, database, and admin tiers on separate subnets
  • Automatic security patches applied via unattended-upgrades

Application security

Security is baked into how we build, not bolted on after.

  • Daily dependency scanning (Dependabot) — critical CVEs patched within 48 hours
  • Static analysis on every pull request (Semgrep, CodeQL)
  • Mandatory code review by a second engineer before merge to main
  • Output encoding to prevent XSS; parameterized queries to prevent SQL injection
  • CSRF tokens on all state-changing operations
  • Strict Content Security Policy headers

Audit logging

Every meaningful action is recorded, attributable, and retrievable.

  • Application audit log: who created/edited/deleted what, when, from where
  • Logs retained for 1 year; available to you via account export
  • Infrastructure logs (auth, deploys, admin actions) kept in append-only storage
  • Available on request for compliance reviews and forensic investigations

Backups & recovery

Your data survives the bad days.

  • Encrypted automated backups every 6 hours, retained 30 days
  • Geographically separate backup region from primary
  • Quarterly restore drills — we test backups, we don't just take them
  • Recovery Point Objective (RPO): 6 hours · Recovery Time Objective (RTO): 4 hours
Compliance & certifications

Where we stand on the standards that matter.

Honest snapshot of what's complete, in progress, and planned. We update this page when a status changes.

○ In progress

SOC 2 Type II

Audit engaged with a Big 4 affiliate firm. Type I report targeted Q3 2026, Type II report Q1 2027. Letter of engagement available under NDA.

✓ Compliant

GDPR & UK GDPR

Standard Contractual Clauses with EEA sub-processors. DPA available to all customers on request. Designated EU representative if required.

✓ Compliant

CCPA & CPRA

California-resident rights respected — access, deletion, correction, opt-out from selling (we don't sell), and limit-use rights for sensitive data.

✓ Compliant

PIPEDA

Canadian Personal Information Protection and Electronic Documents Act compliance for our Canadian customers.

✓ Compliant

PCI DSS

FieldNotch never sees credit card numbers — all payments are tokenized and handled by Stripe, a PCI Level 1 service provider.

○ Planned

HIPAA

Not applicable today — FieldNotch isn't designed for protected health information. Will revisit if customer demand emerges (e.g., HVAC subs for hospitals).

What we won't do

Things we promise — in writing.

Backed by our Terms of Service and Privacy Policy, not just marketing copy.

We won't sell your data

Ever. Not aggregated, not "anonymized," not as part of a partnership deal. Your business data exists in FieldNotch only to serve you.

We won't train AI on your data

Our AI provider (Groq) is contractually prohibited from training models on Your Content. The work orders, employee records, photos, and notes you upload stay yours.

We won't read your data, period

Internal access to customer data is restricted to a narrow set of engineers, requires named authentication, is logged, and is reviewed quarterly. We don't browse your data for fun.

We won't hold your data hostage

Export everything — work orders, employees, invoices, payroll, audit logs — in CSV, PDF, and JSON formats. Available while subscribed, and for 30 days after cancellation.

Shared responsibility

Your half of the security model.

Most account compromises happen because of weak passwords, missing 2FA, or stale permissions — things we can give you tools to manage but can't fix for you.

  1. Use a strong, unique password — generated by a password manager, not reused from somewhere else.
  2. Enable two-factor authentication on your account and require it for all team members in Settings → Security.
  3. Review your team list quarterly — remove access for employees and contractors who've left.
  4. Use role-based permissions — give workers and dispatchers only the access they actually need to do their jobs.
  5. Watch your audit log — sign in occasionally and check Settings → Audit Log for unfamiliar actions.
  6. Keep your devices patched — the strongest server-side security can't protect against a compromised laptop or phone.
  7. Be cautious about phishing — FieldNotch will never ask for your password by email, SMS, or phone.
  8. Report incidents to us quickly — if you see something suspicious, email security@fieldnotch.com right away.
Responsible disclosure

Found a security issue? We want to hear about it.

FieldNotch welcomes security research and responsible disclosure. If you've found a vulnerability — even one you're not sure about — please report it before sharing publicly. We'll respond within one business day.

  • Email security@fieldnotch.com — or use our PGP key (fingerprint published on request)
  • Include a clear description, reproduction steps, and (if applicable) suggested remediation
  • Don't access, modify, or download data that isn't yours; don't run DDoS or social-engineering tests
  • We commit to acknowledge within 1 business day, investigate within 5, and patch critical issues within 14
  • We don't have a paid bug bounty yet — but we'll publicly credit you (with your permission) once the issue is patched, and we'll send you FieldNotch swag
Email security@fieldnotch.com