Security
How we keep your business data safe.
Encrypted in Transit
All communication between your browser and our servers uses TLS 1.2+ (HTTPS). Plain HTTP is automatically redirected.
Password Hashing
Passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
Tenant Isolation
Isolated-tenancy businesses run on a fully dedicated database with separate credentials. Shared-tenancy data is filtered by tenant_id at every query level.
Encrypted Secrets
SMTP passwords and other sensitive settings are encrypted using Laravel's AES-256-CBC encryption before storage.
Audit Logging
Every significant action (login, data change, module toggle) is recorded in a tamper-evident activity log with IP address and timestamp.
Path Protection
The web server is configured to block direct access to .env, storage, config, and app directories.
Signed URLs
Admin impersonation links use Laravel signed URLs with a 10-minute expiry to prevent unauthorized tenant access.
Secure Updates
The built-in updater verifies each package with SHA-256 before applying. Updates are gated by a secret token.
Found a security vulnerability? Contact us responsibly — we take all reports seriously.