Encryption everywhere
TLS 1.3 in transit for every connection. AES-256 at rest for the database and all uploaded files. Encrypted backups, encrypted secrets, encrypted laptops for the team.
Security
Security is the foundation, not a feature.
Trade contractors hand us their customer lists, pricing, payroll, and crew locations. We treat that data the way we'd want ours treated.
Row-level security
Multi-tenancy is enforced at the database. A user can never see another company's data — not by misconfiguration, not by SQL injection, not by an API bug. Every query is scoped by company at the lowest layer.
Least-privilege access
Role-based permissions across the app (field_tech, estimator, manager, admin, executive) and capability-level RBAC for sensitive actions. SSO and SCIM provisioning are available on the Enterprise plan.
Hardened infrastructure
Hosted on Vercel and Supabase, both SOC 2 Type II audited. Database in us-east-1 with point-in-time recovery and hourly backups. No production data ever leaves the encrypted environment.
Continuous monitoring
Sentry for application errors, structured logs for every request, anomaly detection on auth events. Suspicious activity triggers a page to the on-call engineer in minutes.
Incident response
Documented runbook, 24×7 on-call rotation, customer notification within 24 hours of confirmed material incident. Post-mortems published within two weeks for anything customer-facing.
Compliance
Where we stand on the frameworks that matter for B2B SaaS. We update this list as audits complete.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Audit started Q1. Report published on this page once it completes. |
| GDPR / UK GDPR | Compliant | DPA available on request. EU sub-processors disclosed in the privacy policy. |
| CCPA / CPRA | Compliant | Data subject requests honored within statutory timelines. |
| HIPAA | Not in scope | ProTradesMax is not designed for protected health information. Do not upload PHI. |
Security questionnaire
Procurement teams: we’ll fill out your standard questionnaire (CAIQ, VSAQ, SIG Lite, or your own template) in five business days. Email security@protradesmax.com with the doc.
Responsible disclosure
Found a vulnerability? Report it to security@protradesmax.com. We acknowledge within one business day, triage within three, and credit reporters in our public disclosures with permission. Please don’t access other tenants’ data, run automated vulnerability scanners against production, or post issues publicly before we’ve had a chance to fix them.
For data handling, retention, and sub-processors, see the Privacy Policy. For platform availability, see status.