Encryption, workspace isolation, two-factor authentication, and a security-first development process. Here's how we protect what you store with us.
TLS 1.3 for everything in transit. Sensitive fields at rest (API keys, OAuth tokens, 2FA secrets, recovery codes) encrypted with AES-256 via Laravel's encryption layer using your application key. Database backups encrypted too.
Every database row is tagged with a workspace ID. Eloquent global scopes enforce strict tenant isolation — no agency on the platform can query, read, or modify another agency's clients, reports, or settings. Verified by automated tests.
TOTP-based 2FA available for all accounts. Compatible with Google Authenticator, Authy, 1Password, Bitwarden. One-time recovery codes generated at setup. Admins can enforce 2FA workspace-wide.
Every workspace mutation is recorded: who did what, when, from which IP (for security-relevant actions). Admins view the full audit log in Settings → Activity Log. Exportable on Enterprise plans.
Hosted on Laravel Forge with AWS as the underlying cloud. Firewall rules locked down to only necessary ports. Automated security patching. Daily encrypted database backups with point-in-time restore.
Database-backed sessions with 8-hour timeout. CSRF protection on every mutating request. Brute-force throttling on login + 2FA endpoints. Forced re-auth after password reset.
Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy all applied. Content Security Policy in place. Browser-extension calls origin-locked.
AI features call third-party providers (Anthropic, etc.) under enterprise terms that prohibit training on customer data. Prompts and responses are one-shot — not retained on our servers beyond the current request.
Security researchers — we welcome you. Please disclose responsibly.
Email security@skyvistaconsulting.com with a description of the issue, steps to reproduce, and any proof-of-concept code.
We aim to acknowledge reports within 48 hours and patch validated vulnerabilities within 14 days. We don't currently run a paid bug bounty but we credit researchers publicly (with permission) on this page.