Security Statement

Security is a core operational priority at ServiceSmartOS. We understand that the safety documentation, worker records, and compliance data you store on our platform is sensitive and operationally critical. We implement technical and organisational measures designed to protect your data against unauthorised access, loss, alteration, and disclosure.

This statement describes the security controls we have in place. It is intended to give you confidence in our security posture and to support your own due diligence processes.

ServiceSmartOS is hosted on enterprise-grade cloud infrastructure:

3.1 Encryption in Transit

All data transmitted between your browser and the ServiceSmartOS platform is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints. Connections using older, insecure protocols are rejected. HTTP Strict Transport Security (HSTS) is enabled to prevent downgrade attacks.

3.2 Encryption at Rest

All data stored in the ServiceSmartOS database is encrypted at rest using AES-256 encryption, provided by AWS and Supabase infrastructure. Database backups are also encrypted at rest.

File attachments uploaded to the platform are stored in Supabase Storage with server-side encryption.

4.1 User Authentication

User authentication is managed by Supabase Auth, which implements industry-standard authentication flows including:

• Secure password hashing using bcrypt
• JWT-based session management with configurable expiry
• Email verification required for new accounts
• Secure password reset via time-limited email tokens

4.2 Role-Based Access Control

Within organisations, access to records is controlled by role-based permissions. Platform administrators, company administrators, and standard users have different levels of access. Row-level security (RLS) policies are enforced at the database layer, ensuring that authenticated users can only access records belonging to their organisation.

4.3 Our Internal Access Controls

Access to production systems and customer data by ServiceSmartOS staff is restricted on a need-to-know basis. Production database access requires multi-factor authentication. All access events are logged. We do not routinely access customer data unless required to resolve a support issue, and only with the customer's knowledge where practicable.

The ServiceSmartOS application is built using Next.js 15 and follows OWASP security guidelines. Security measures implemented at the application layer include:

• Input validation and parameterised queries to prevent SQL injection
• Content Security Policy (CSP) headers to prevent cross-site scripting (XSS)
• CSRF protection on all state-changing API endpoints
• Secure, HTTP-only cookies for session management
• Rate limiting on authentication and AI generation endpoints
• Dependency scanning and security updates applied regularly

Automated database backups are performed daily by Supabase. Backups are encrypted and stored in geographically separate locations. Retention periods for backups are described in our Data Retention Policy.

We maintain documented business continuity and disaster recovery procedures. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets are reviewed periodically to align with business requirements.

We monitor the platform continuously for anomalous activity, including:

• Failed authentication attempts and brute force indicators
• Unusual access patterns or data volumes
• Infrastructure health and availability
• Error rates and application exceptions

Supabase provides database activity logging and alerting. Infrastructure-level security events are monitored through AWS CloudWatch and Vercel's monitoring tools.

In the event of a security incident that affects customer data, we will:

1. Immediately contain and investigate the incident
2. Notify affected customers without undue delay, and within 72 hours where required by applicable law
3. Provide details of the nature of the breach, the categories of data affected, and the steps we are taking to remediate it
4. Notify the Office of the Privacy Commissioner (New Zealand) and/or the Office of the Australian Information Commissioner (Australia) where required under applicable privacy legislation
5. Conduct a post-incident review and implement improvements to prevent recurrence

To report a suspected security incident involving your account, contact support@servicesmartos.com immediately.

We welcome reports from security researchers and members of the public who identify security vulnerabilities in the ServiceSmartOS platform. If you believe you have found a security vulnerability, please report it responsibly:

Please include in your report: a description of the vulnerability, steps to reproduce it, the potential impact, and your contact details. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it (typically 90 days).

We do not currently operate a formal bug bounty programme, but we will acknowledge valid security reports and work with you to address them promptly.

Security is a shared responsibility. Customers can protect their ServiceSmartOS accounts by:

• Using strong, unique passwords and not reusing passwords from other services
• Keeping login credentials confidential and not sharing them with others
• Ensuring that former employees and contractors are removed from your account promptly when their access should be revoked
• Notifying us immediately of any suspected unauthorised access to your account
• Keeping the devices used to access ServiceSmartOS up to date with operating system and browser security updates

Security enquiries, vulnerability reports, and incident notifications should be directed to support@servicesmartos.com.