Security Is How We Ship.
Encrypted transport on every request. Role based access on every screen. Two factor on every login. Activity logging on every action. Security is not a feature you buy. It is the default.
What's On by Default.
You do not turn these on. They were already on the day you signed in.
Encrypted in Transit.
HTTPS only with HSTS. TLS 1.2 minimum. Certificate transparency monitored.
Two Factor on Login.
Time based one time codes from any authenticator app. SMS fallback. Backup codes for recovery.
Role Based Access.
Office, dispatch, crew, and read only roles ship by default. Per company custom roles when you need them.
Activity Log.
Every state change records who, what, when, and from where. Searchable, exportable, and immutable.
IP Visibility.
See where logins come from. Optional IP allow lists for office only access.
Hardened Headers.
HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy on every response.
Our Practice, Plainly Stated.
| Area | Practice |
|---|---|
| Transport | HTTPS only with HSTS preload. TLS 1.2 minimum. Strong cipher suites. Certificates auto rotated. |
| Authentication | Salted password hashing with modern KDF. Two factor with TOTP and SMS fallback. Session rotation on key events. Brute force throttling. |
| Authorization | Role based access at the API and UI layer. Tenant isolation enforced at the database query level. |
| Data at rest | Encrypted volumes for databases and backups. Backups retained on a rolling window with restore tested. |
| Network | Web tier behind a hardened reverse proxy. Application tier with no public ports. Database tier private only. |
| Audit log | Immutable activity record on user, customer, estimate, job, invoice, and payment events. Exportable on request. |
| Vulnerability handling | Coordinated disclosure via the security policy. Acknowledged within one business day. No legal threats for good faith research. |
| Vendors | Limited and named in our DPA on request. Each vendor reviewed for transit, retention, and access. |
| Incident response | Documented runbook with on call rotation. Customers notified of confirmed incidents that affect their data within 72 hours. |
Security, Answered.
Where is data stored?
Primary data stays in US data centers. Encrypted backups are kept on a rolling window. We list the specific providers in our DPA, available on request.
Can we restrict access by IP?
Yes. IP allow lists at the user or role level. Useful when only office staff should reach the admin panel.
Do you support SSO?
Not yet. Built-in two factor with TOTP and SMS plus optional IP allow lists handle most of what teams ask SSO for. SAML and OIDC SSO are on the roadmap. If your security team requires it today, tell us and we will be honest about timing.
How do we report a vulnerability?
Email security@workflowprodigy.com. We acknowledge within one business day. Our policy lives at /.well-known/security.txt.