Security Practices

At PoolVerify, we take the security of your data seriously. This page outlines the security measures we implement to protect your inspection data, client information, and account details.

We employ industry-standard security practices and work with trusted, security-focused service providers to ensure your data remains secure and private.

1.1 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using:

• TLS 1.3: The latest Transport Layer Security protocol for maximum security during data transmission
• HTTPS Everywhere: All connections to PoolVerify use HTTPS with no exceptions
• Perfect Forward Secrecy: Each session uses unique encryption keys that cannot be compromised retroactively
• Strong Cipher Suites: We support only modern, secure encryption algorithms and disable outdated protocols

1.2 Encryption at Rest

Your data is encrypted when stored in our databases and file storage:

• AES-256 Encryption: Database and file storage use AES-256 encryption, the same standard used by banks and government agencies
• Encrypted Backups: All database backups are encrypted with the same AES-256 standard
• Inspection Photos: Uploaded photos are stored in encrypted private storage buckets
• Secure Key Management: Encryption keys are managed by AWS KMS (Key Management Service) through our infrastructure provider

2.1 User Authentication

We use Clerk, a security-focused authentication provider, to manage user accounts:

• Secure Password Hashing: Passwords are hashed using bcrypt with strong salt values and never stored in plain text
• Session Management: Secure, encrypted session tokens with automatic expiration
• Password Requirements: Minimum 8 characters with complexity requirements enforced
• Account Lockout: Automatic lockout after multiple failed login attempts to prevent brute force attacks
• Email Verification: Email addresses must be verified before account activation

2.2 Multi-Tenant Data Isolation

Your data is isolated from other users through multiple security layers:

• Row-Level Security (RLS): PostgreSQL Row-Level Security policies ensure you can only access your own data
• Tenant-Based Architecture: Every database query is automatically scoped to your tenant/organization
• API-Level Authorization: All API requests verify user identity and tenant membership before granting access
• File Storage Isolation: Inspection photos are stored in tenant-specific folders with access controls

2.3 Role-Based Access Control

Within your organization, we support multiple user roles with different permission levels:

• Owner: Full access to all features, billing, and team management
• Admin: Manage inspections and users, but no billing access
• Inspector: Create and edit own inspections, view team inspections
• Viewer: Read-only access to inspections and reports

3.1 Cloud Infrastructure

PoolVerify is built on secure, enterprise-grade cloud infrastructure:

• Vercel: Application hosting with automatic HTTPS, DDoS protection, and global CDN
• Supabase (AWS): Database and file storage hosted on AWS infrastructure in the us-west-2 (Oregon) region
• AWS Security: Benefits from AWS's multi-layered security approach including physical security, network security, and compliance certifications

3.2 Network Security

• Firewall Protection: Database and services are protected by cloud provider firewalls with strict access rules
• DDoS Protection: Automatic protection against distributed denial-of-service attacks via Vercel and AWS
• Private Networking: Database connections use private networks and are not exposed to the public internet
• IP Filtering: Administrative database access is restricted to authorized IP addresses only

3.3 Application Security

Our application code follows security best practices:

• Input Validation: All user inputs are validated and sanitized to prevent injection attacks
• SQL Injection Prevention: Parameterized queries and prepared statements prevent SQL injection
• XSS Protection: Content Security Policy (CSP) headers and input sanitization prevent cross-site scripting
• CSRF Protection: Anti-CSRF tokens protect against cross-site request forgery attacks
• Secure Headers: HTTP security headers (HSTS, X-Frame-Options, etc.) protect against common attacks

4.1 Automated Backups

Your data is backed up automatically to protect against data loss:

• Daily Backups: Full database backups are performed daily and retained for 30 days
• Point-in-Time Recovery: Database supports point-in-time recovery for the past 7 days
• Encrypted Backups: All backups are encrypted using AES-256
• Geographic Redundancy: Backups are stored in a separate geographic region for disaster recovery
• File Storage Replication: Inspection photos are replicated across multiple availability zones

4.2 Disaster Recovery

We maintain a disaster recovery plan to ensure business continuity:

• Recovery Time Objective (RTO): Target to restore service within 4 hours of a major outage
• Recovery Point Objective (RPO): Maximum 1 hour of data loss in worst-case scenarios
• High Availability: Database replication with automatic failover capability
• Restoration Testing: Regular testing of backup restoration procedures

4.3 Your Responsibility

Important: While we maintain comprehensive backups, we recommend you regularly download copies of critical inspection reports. You remain responsible for maintaining your own backups of important data.

We carefully select security-focused service providers and ensure they maintain appropriate security standards:

All third-party providers are contractually obligated to protect your data and have Data Processing Agreements in place that meet California privacy law requirements.

6.1 Activity Logging

We maintain comprehensive logs to monitor system security and detect suspicious activity:

• Authentication Logs: Login attempts, successful logins, and session activity
• Access Logs: API requests, data access, and user actions
• System Logs: Application errors, performance issues, and security events
• Log Retention: Activity logs are retained for 90 days for security analysis
• Secure Storage: Logs are encrypted and access-controlled

6.2 Security Monitoring

We actively monitor for security threats and anomalies:

• Failed Login Monitoring: Automated detection of suspicious login patterns and brute force attempts
• Unusual Activity Alerts: Monitoring for abnormal data access patterns or API usage
• Error Tracking: Real-time error monitoring to quickly identify and resolve security issues
• Performance Monitoring: Uptime monitoring to detect service disruptions or attacks

6.3 Incident Response

In the event of a security incident, we follow a defined response process:

1. Immediate investigation and containment of the incident
2. Assessment of impact and affected users
3. Notification to affected users within 72 hours (if personal data is compromised)
4. Remediation and implementation of preventive measures
5. Post-incident review and security improvements

7.1 Dependency Management

• Automated Scanning: We use automated tools to scan dependencies for known vulnerabilities
• Regular Updates: Dependencies are kept up-to-date with security patches
• Security Advisories: We monitor security advisories for all third-party libraries
• Critical Patches: Critical security updates are deployed within 48 hours of release

7.2 Security Updates

We maintain a proactive approach to security updates:

• Regular review and update of application dependencies
• Infrastructure updates managed by cloud providers (Vercel, Supabase)
• Continuous monitoring of security bulletins
• Prompt deployment of security patches for critical vulnerabilities

7.3 Code Security

• Secure Coding Practices: Following OWASP guidelines for secure application development
• Code Review: Security considerations in all code changes
• Static Analysis: Automated code scanning for security vulnerabilities
• Testing: Security testing as part of the development process

8.1 Privacy Compliance

We comply with applicable privacy laws and regulations:

• CCPA/CPRA: Full compliance with California Consumer Privacy Act and California Privacy Rights Act
• CalOPPA: Compliance with California Online Privacy Protection Act
• Data Minimization: We collect only the data necessary to provide our services
• Purpose Limitation: Data is used only for the purposes disclosed in our Privacy Policy
• Retention Limits: Data is retained only as long as necessary or required by law

8.2 Your Privacy Rights

Under California privacy law, you have the right to:

• Know what personal information we collect and how we use it
• Access your personal information
• Request deletion of your personal information
• Correct inaccurate personal information
• Opt-out of the sale of personal information (we do not sell your data)

See our Privacy Policy for detailed information about your privacy rights and how to exercise them.

In the unlikely event of a data breach affecting personal information:

1. Discovery and Containment: Immediate investigation and containment of the breach
2. Impact Assessment: Determine what data was affected and which users are impacted
3. Notification: Notify affected users within 72 hours via email
4. Regulatory Compliance: Comply with California Civil Code §1798.82 breach notification requirements
5. Remediation: Take immediate steps to prevent future incidents
6. Transparency: Provide clear information about the breach, affected data, and protective measures

Breach Notification: If your data is compromised in a breach, we will notify you via email with details about the incident, what information was affected, and steps you should take to protect yourself.

Security is a shared responsibility. You can help keep your account secure by:

• Strong Passwords: Use unique, complex passwords that are at least 12 characters long
• Password Manager: Consider using a password manager to generate and store strong passwords
• Don't Share Credentials: Never share your login credentials with others
• Secure Devices: Keep your devices and browsers updated with the latest security patches
• Secure Networks: Avoid accessing sensitive data over public Wi-Fi without a VPN
• Log Out: Log out when using shared or public computers
• Monitor Activity: Review your account activity regularly for any suspicious actions
• Report Issues: Immediately report any suspected security issues or unauthorized access

We welcome security researchers and users who discover potential security vulnerabilities to report them responsibly.

11.1 How to Report

11.2 What to Include

When reporting a security vulnerability, please provide:

• Detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity assessment
• Any proof-of-concept code or screenshots (if applicable)
• Your contact information for follow-up

11.3 Our Commitment

When you report a security vulnerability to us, we commit to:

• Acknowledge: Respond within 24 hours of receiving your report
• Investigate: Thoroughly investigate and validate the reported issue within 5 business days
• Update: Keep you informed about our investigation and remediation progress
• Fix: Address confirmed vulnerabilities promptly based on severity
• Credit: Acknowledge your contribution (with your permission) once the issue is resolved
• Safe Harbor: We will not pursue legal action against researchers who act in good faith

11.4 Guidelines for Researchers

When conducting security research, please:

• Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability
• Do not perform testing that could degrade service availability or impact other users
• Do not publicly disclose the vulnerability before we have addressed it
• Allow us reasonable time to investigate and remediate the issue
• Do not conduct social engineering attacks against our team or users

PoolVerify follows recognized industry security frameworks and best practices:

• OWASP Top 10: Protection against the most critical web application security risks
• NIST Cybersecurity Framework: Alignment with NIST guidance for security controls
• CIS Controls: Implementation of Center for Internet Security best practices
• Principle of Least Privilege: Users and systems have only the minimum access necessary
• Defense in Depth: Multiple layers of security controls throughout the application
• Security by Design: Security considerations integrated into every phase of development

Important Disclaimer: While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security, and we are not liable for security breaches resulting from factors beyond our reasonable control.

Security is an ongoing process, and we continuously work to improve our security posture. We encourage you to report any security concerns you may have.

For security questions, concerns, or to report a vulnerability, please contact us: