Legal
Security at Jobflo
Last updated: May 22, 2026
Your business data lives inside Jobflo — customer details, schedules, invoices, and crew communication. We treat protecting it as a core part of the product, not an afterthought. This page is a plain-English overview of how we do it.
1. Encryption
All traffic between your browser, our mobile apps, and Jobflo's servers is encrypted with TLS 1.2 or higher. We redirect every HTTP request to HTTPS and use HSTS to prevent downgrade attacks.
Data at rest is encrypted on the storage layer. Our Postgres database runs on Supabase with AES-256 disk encryption. Uploaded files (photos, attachments, invoices) live in Cloudflare R2 with server-side encryption enabled by default.
2. Authentication
Account sign-in is handled by Supabase Auth. Passwords are hashed with bcrypt; we never store them in plaintext or in a form we can read. Password resets are time-limited single-use links sent over email. Sessions are scoped per device and can be revoked from your account settings.
On the roadmap: optional two-factor authentication (TOTP and SMS) and SAML-based single sign-on for Scale and enterprise plans.
3. Authorization and access controls
Inside your workspace, every user has a role:
- Owner — full access, including billing and deleting the workspace
- Dispatcher — manage schedules, jobs, customers, and invoices; can invite technicians
- Technician — see and update their own jobs; no access to billing or workspace settings
Database access is enforced by Postgres row-level security policies, so a request from one workspace can never read another's rows even if application code were bypassed.
Inside Jobflo, employee access to production systems is restricted to the small number of engineers who need it for on-call and incident response. All access requires SSO with two-factor authentication and is logged. Production credentials rotate on a regular schedule.
4. Hosting and infrastructure
Jobflo is hosted on SOC 2 Type II-compliant infrastructure:
- Vercel — web app hosting and edge delivery
- Supabase — managed Postgres database and authentication
- Cloudflare R2 — object storage for uploaded files
- Stripe — PCI DSS Level 1 certified payment processing
- Resend — transactional email delivery
All of these providers maintain their own published security certifications and publish their own status pages. Jobflo itself is not yet independently audited; we'll publish reports here when we complete certification.
5. Backups and disaster recovery
Supabase performs automated daily backups of the database with point-in-time recovery for the last seven days on paid tiers. Object storage in Cloudflare R2 is replicated across multiple data centers by default. We test our restore procedure on a regular schedule so we know it works before we need it.
6. Monitoring and incident response
We collect application logs, database query metrics, and uptime data. Critical alerts page the on-call engineer 24/7. If an incident affects customer data, we'll notify affected customers without unreasonable delay — and within 72 hours for incidents covered by GDPR. Status updates for ongoing incidents are posted in the app and emailed to workspace owners.
7. Secure development
We follow practices designed to keep vulnerabilities out of the product:
- Code review is required on every change before it ships
- Dependencies are scanned for known vulnerabilities on each build
- Secrets never live in source control — they're injected at deploy time
- Production deploys are immutable and traceable to a specific commit
8. Data segregation and tenancy
Jobflo is a multi-tenant SaaS application. Each workspace's data is logically separated using a workspace identifier on every row, enforced by row-level security. There is no shared mutable state between workspaces.
9. Your security responsibilities
Even with strong infrastructure, account-level security relies on good habits from you and your team:
- Use a strong, unique password — a password manager helps
- Don't share logins; invite each team member with their own role
- Remove users immediately when someone leaves your team
- Be cautious with phishing — Jobflo will never ask for your password by email
10. Sub-processors
We maintain a current list of the third-party services that process data on our behalf in the Privacy Policy. We update that list when sub-processors change.
11. Responsible disclosure
Report a security issue
If you believe you've found a vulnerability in Jobflo, please tell us. We'll acknowledge your report within two business days and work with you to confirm and fix the issue.
Please don't exploit the issue beyond what's necessary to demonstrate it, don't access data that isn't yours, and give us reasonable time to fix things before sharing publicly. We're a small team without a paid bounty program today, but we'll publicly credit researchers who want recognition.
Email support@jobflo.us12. Compliance roadmap
We're building Jobflo on SOC 2 Type II-compliant infrastructure and are working toward our own SOC 2 Type II audit. We'll update this page as certifications complete. If your procurement process needs a security questionnaire today, email us at support@jobflo.us and we'll respond promptly.