Security at Citerra

Data Encryption

All data is encrypted both in transit and at rest using industry-standard encryption protocols.

• •In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure protocol.
• •At Rest: Your data is stored in encrypted databases using AES-256 encryption, the same standard used by banks and government agencies.
• •Backups: All database backups are encrypted and stored securely with restricted access.

Access Controls & Authentication

We implement strict access controls to ensure only authorized users can access your data.

• •Secure Authentication: Email and password authentication with secure password hashing using bcrypt.
• •Role-Based Access: Granular permission system with Super Admin, Admin, and User roles to control access to sensitive features.
• •Session Management: Secure session tokens with automatic expiration and refresh mechanisms.
• •Multi-Factor Authentication: Optional MFA available for enhanced account security (coming soon).

Data Isolation & Multi-Tenancy

Your organization's data is completely isolated from other customers using advanced database security.

• •Row-Level Security: Database-level policies ensure users can only access data belonging to their organization.
• •Organization Boundaries: All data is scoped to your organization with strict enforcement at the database layer.
• •API Security: All API endpoints validate organization membership before returning any data.

Audit Logging & Monitoring

We maintain comprehensive audit logs to track all system activities and detect potential security issues.

• •Activity Tracking: All user actions, data access, and system changes are logged with timestamps and user information.
• •Security Monitoring: Automated systems monitor for suspicious activities, failed login attempts, and unusual access patterns.
• •Audit Trail: Complete audit trails are maintained for compliance and security investigations.
• •Retention: Audit logs are retained for 90 days and available for review by authorized administrators.

Payment Security

Your payment information is handled with the highest security standards through our payment processor.

• •Stripe Integration: All payments are processed through Stripe, a PCI DSS Level 1 certified payment processor.
• •No Card Storage: We never store your credit card information on our servers. All payment data is securely stored by Stripe.
• •Secure Webhooks: Payment notifications are verified using cryptographic signatures to prevent tampering.

Infrastructure Security

Citerra is built on enterprise-grade infrastructure with industry-leading security practices.

• •Vercel Hosting: Our application is hosted on Vercel's secure, globally distributed edge network with automatic DDoS protection.
• •Supabase Database: Data is stored in Supabase's secure PostgreSQL databases with automatic backups and point-in-time recovery.
• •Environment Isolation: Production, staging, and development environments are completely isolated.
• •Automatic Updates: Security patches and updates are applied automatically to keep the platform secure.

Compliance & Standards

We adhere to industry standards and regulations to protect your data and privacy.

• •GDPR Ready: We provide tools for data export and deletion to support GDPR compliance requirements.
• •SOC 2 Type II: Our infrastructure providers (Vercel, Supabase) maintain SOC 2 Type II compliance.
• •Data Residency: Data is stored in secure data centers with options for regional data residency.
• •Privacy Policy: We maintain a transparent privacy policy detailing how we collect, use, and protect your data.

Incident Response

We have established procedures to quickly respond to and resolve security incidents.

• •24/7 Monitoring: Our systems are monitored around the clock for security threats and anomalies.
• •Rapid Response: Security incidents are prioritized and addressed immediately by our team.
• •Transparent Communication: In the event of a security incident, affected users are notified promptly with clear information.
• •Post-Incident Review: We conduct thorough reviews after incidents to prevent future occurrences.

Responsible Disclosure

We welcome security researchers to help us keep Citerra secure.