Security & Data Protection

Your business data is critical - customer records, job history, financial information, and payment details. ServiceTap is built from the ground up to protect it with enterprise-grade security at every layer.

Encryption at Rest & In Transit
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Every API call, file upload, and database query is encrypted. Customer data, job records, invoices, and payment information are protected at every layer.
Role-Based Access Control
Granular permissions for Owner, Admin, Office Manager, Dispatcher, and Technician roles. Each role sees only what they need - technicians see their jobs, dispatchers see the board, admins see everything. Enforced at the database level with Supabase Row-Level Security.
Audit Trails
Every significant action is logged: job status changes, invoice edits, payment collections, user logins, and permission changes. Append-only audit logs provide accountability and help resolve disputes with complete activity history.
PCI Compliance via Stripe
ServiceTap never stores credit card numbers. All payment processing is handled by Stripe, a PCI Level 1 Service Provider. Card data never touches our servers - it goes directly from your customer's device to Stripe's PCI-compliant infrastructure.
Offline Security
Data stored locally for offline use is held in secure on-device storage with PowerSync. When connectivity is restored, records sync over TLS with conflict resolution to prevent data loss. Offline mode never compromises data integrity.
Infrastructure Security
Hosted on Supabase (AWS) with SOC 2 Type II certified infrastructure. Automatic HTTPS, DDoS protection, and hardened security headers. Managed PostgreSQL with strict network isolation and encrypted connections.
Row-Level Security
Every database table is protected by Supabase RLS policies. Data isolation is enforced at the database level, not just the application UI. Even direct API access respects organization boundaries - you can never access another company's data.
Backup & Recovery
Automated daily database backups with point-in-time recovery. Backups are encrypted and stored in a separate availability zone. In the event of a failure, your data can be restored to any point within the recovery window.
Authentication Security
Industry-standard authentication with secure HTTP-only cookie sessions. Password requirements enforce minimum complexity. Support for email-based password recovery with time-limited tokens. Session tokens are rotated regularly.

How We Handle Your Data

ServiceTap stores your business data in Supabase (hosted on AWS) with full encryption and strict access controls. We do not sell, share, or monetize your data. Your customer lists, job records, and financial information belong to you.

Payment processing is handled entirely by Stripe. Credit card numbers never touch our servers. Stripe handles all PCI DSS compliance requirements as a Level 1 Service Provider - the highest level of certification available.

You can export all of your data at any time. We believe in zero lock-in - if you decide to leave ServiceTap, your data leaves with you. No export fees, no data hostage situations, no hoops to jump through.

We are actively working toward SOC 2 Type II certification and continuously review our security practices, dependency chains, and access controls.

Our Security Commitment

We understand that you're trusting us with data that represents your entire business - years of customer relationships, service records, and financial history. That responsibility shapes every technical decision we make.

Security is not an add-on at ServiceTap. It is built into the database layer with Row-Level Security policies, into the API with authentication middleware, and into the application with role-based access controls.

If you have questions about our security practices or need a compliance statement for your organization, please contact us.

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure and will work quickly to address any verified vulnerabilities.

Report a Security Issue