Security is not a feature we added later. It is the foundation every table, every query, and every API call is built on. Your business data deserves the same protection as a bank.
Every request passes through multiple independent security layers before it touches your data.
Every single table in the database enforces row-level security at the PostgreSQL layer. This is not application-level filtering that can be bypassed. It is enforced by the database engine itself. Your company's data is cryptographically isolated from every other company. Even if someone ran a raw SQL query against the database, they would only see their own rows. Period.
Every API request carries a cryptographically signed JSON Web Token. The token contains your user ID, company ID, and role. It cannot be forged or modified. Sessions expire automatically. Password authentication for business users. Magic link authentication for the client portal so homeowners never need to remember a password.
Seven distinct roles control exactly who sees what. Your technician sees their assigned jobs and field tools. Your office manager sees scheduling and customers. Your CPA sees the ledger and nothing else. Your apprentice sees only what you want them to see. Enterprise accounts can create custom roles with granular permissions.
All data in transit is encrypted with TLS 1.3. All data at rest is encrypted with AES-256. Every file uploaded to storage goes into a private bucket with signed URLs that expire. There is no public file access anywhere in the system. Voice recordings, photos, documents, signatures. All encrypted, all private.
Every data change on every business table is logged automatically by a database trigger. Who changed it, what changed, when it changed. The audit log is append-only. Nobody can modify or delete audit entries. Financial transactions get their own detailed audit trail. Every login, every API call, every permission change. Logged.
The database runs on Supabase (managed PostgreSQL) with automatic backups, failover, and monitoring. Web applications are deployed on Vercel with edge caching and DDoS protection. DNS and CDN are managed by Cloudflare. The mobile app communicates exclusively through authenticated API endpoints. There are no backdoors, no debug endpoints, no public admin panels.
Business data is never physically deleted. Soft delete with deleted_at timestamps. Your data is always recoverable.
Five applications share one database. RLS handles all tenant isolation. No data leakage between companies.
All Edge Functions validate authentication headers. Company ID verified from JWT on every request. Input validation on all endpoints.
Automatic daily backups with point-in-time recovery. Your data is protected against hardware failure and human error.
ZAFTO handles every category of business data a contractor produces. Every category gets the same protection.
Bank account connections, transactions, general ledger entries, invoices, payments, payroll records, tax documents, and 1099 data. All encrypted. All audit-logged.
Names, addresses, phone numbers, email addresses, payment methods, property details, service history, and communication records. Isolated per company via RLS.
Time clock entries, GPS locations, pay rates, certifications, training records, performance data, and direct deposit information. Role-gated so technicians never see each other's pay.
Policy numbers, carrier information, adjuster details, damage documentation, moisture readings, claim amounts, and supplement records. Sensitive data with strict access controls.
Jobsite photos, before/after documentation, signed contracts, lien waivers, receipts, and voice recordings. Stored in private buckets with signed URLs. No public access.
Digital signatures on estimates, contracts, and change orders. Authentication credentials, session tokens, and API keys. All cryptographically protected.
We build to enterprise compliance standards because your business depends on it.
Our infrastructure and practices are built to meet SOC 2 Type II requirements across all five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Our infrastructure providers (Supabase, Vercel, Cloudflare) maintain their own SOC 2 certifications. Formal audit is on our pre-launch roadmap.
All primary data is stored in US-based data centers. Database hosted on AWS infrastructure via Supabase. File storage in AWS S3 (US regions). Edge Functions execute in geographically distributed Deno isolates. We do not transfer your business data outside the United States unless you explicitly request it.
Your data belongs to you. We do not sell your data. We do not use your business data to train AI models. We do not share your data with third parties except the infrastructure providers required to operate the platform. You can export your data at any time. You can request deletion at any time.
Active accounts retain all data indefinitely. Soft delete architecture means accidental deletions are recoverable. When you cancel your account, your data is retained for 90 days in case you return, then permanently purged. Financial records follow IRS retention guidelines. Audit logs are retained for the life of the account.
Every component in our stack is operated by an established, audited provider. No homebrew databases. No unvetted services.
Managed PostgreSQL on AWS. SOC 2 Type II certified. Automatic backups, point-in-time recovery, connection pooling, and real-time subscriptions. Row-level security enforced at the engine level.
All four web portals deployed on Vercel. SOC 2 Type II certified. Edge network, automatic SSL, DDoS mitigation, and zero-downtime deployments. Preview deployments for every change.
DNS management and CDN for zafto.app and all subdomains. Enterprise-grade DDoS protection, WAF rules, and bot mitigation. Global edge network with 300+ points of presence.
All payment processing handled by Stripe. PCI DSS Level 1 certified. ZAFTO never stores credit card numbers. Tokenized payments, fraud detection, and dispute management handled by Stripe.
Bank account connections handled by Plaid. SOC 2 Type II certified. ZAFTO never sees your bank credentials. Plaid handles the authentication and returns read-only transaction data.
Error monitoring and performance tracking across all applications. SOC 2 Type II certified. Alerts on anomalies. No business data is sent to Sentry. Only error context and stack traces.
We take security reports seriously. If you discover a vulnerability, contact us directly and we will respond within 24 hours.
Email support@zafto.app with the subject line "Security Report." Include a description of the issue, steps to reproduce, and your contact information. We will acknowledge within 24 hours and provide a timeline for resolution.
We will not take legal action against good-faith security researchers. We will credit reporters who help us fix real issues. We will disclose resolved issues transparently.
Questions about our security architecture? We are happy to walk you through it.