Security & Trust

Your customer data
stays yours.

Field service businesses hold some of the most sensitive customer data that exists — home addresses, access codes, payment methods, service history. Here's how we protect it.

Technical controls

What's actually protecting your data

Encryption in transit

TLS 1.3 on every request between your browser, our API, and our database. HSTS with preload, cert rotation via Let's Encrypt. No plaintext HTTP accepted — port 80 redirects permanently to HTTPS.

Encryption at rest

AES-256 encryption on all PostgreSQL data, ClickHouse GPS events, and Cloud Storage file uploads (job photos, signed work orders). Backups are encrypted with a separate key from the primary database.

Multi-tenant isolation

Every row in every PostgreSQL table carries a company_id, enforced by PostgreSQL row-level security (RLS). A compromised query cannot access another company's data — the database refuses to return rows that don't match the authenticated user's company. Confirmed via penetration test.

Role-based access control

Owner, Dispatcher, and Technician roles with distinct permissions. Techs can only see jobs assigned to them. Dispatchers can see the full schedule and customer records. Owners have everything plus billing access. Role changes require 2FA.

Data handling

You own your data. Period.

What customer data does Servinix store?

Business contact information (name, phone, email, service addresses), service history (jobs completed, photos, notes, signatures), payment records (via Stripe — no card numbers stored by us), and voice call transcripts (from AI phone agent). Audio recordings are retained for 90 days by default for quality assurance, then deleted.

Who can access my data?

Only authorized Servinix engineers for specific support cases, and only with your written consent via a support ticket. All access is logged and audited. We don't grant third-party analytics providers access to identifiable customer data — only aggregated, anonymized product metrics.

Can I export my data?

Yes, at any time. Full CSV export of customers, jobs, invoices, and service history is available from Settings → Export. API access is also available for real-time programmatic export. You own your data.

What happens to my data if I cancel?

Your data is retained for 90 days after cancellation in case you want to reactivate. After 90 days, all identifiable data is permanently deleted from production and backups. Aggregated non-identifiable product metrics (e.g., 'X companies used feature Y') are retained indefinitely.

Compliance

Honest about where we are

SOC 2 Type II is a 6-12 month audit process. Every SaaS that claims "SOC 2" without a current certificate is either misleading or referring to Type I. We're transparent.

SOC 2 Type II

In progress

Audit window scheduled for Q3 2026. We're honest about this — SOC 2 is a 6-12 month process and we're not done yet. In the interim, we follow the SOC 2 Type II control framework and can provide our security whitepaper and penetration test results under NDA.

GDPR

Compliant

EU data subjects have the right to access, rectify, and delete their data. Our Data Processing Addendum (DPA) is available on request. We don't currently have EU data residency — all data is hosted in US regions. Discuss with us if this is a blocker for your use case.

CCPA / CPRA

Compliant

California residents have the right to know, delete, correct, and opt out of sale of their personal information. We don't sell personal information to third parties under any circumstance.

TCPA (for SMS + calls)

Enforced in product

SMS-based communications (review requests, appointment reminders, rain-delay notifications, payment reminders) respect TCPA quiet hours (8am-8pm local time) by default. Opt-outs via STOP reply are honored within 24 hours. Consent language is included in all customer-facing intake forms.

PCI DSS

Stripe-handled

We never store, transmit, or process card numbers ourselves. All card data goes directly to Stripe via their tokenization system. Stripe is PCI DSS Level 1 certified — the highest PCI tier.

When something goes wrong

Incident response

  • ·24/7 monitoring with on-call engineer rotation
  • ·Anomaly detection alerts on unusual data-access patterns
  • ·Security incident response runbook with defined escalation paths
  • ·Status page (status.servinix.com, launching June 2026) for real-time service health
  • ·Disclosed vulnerability policy — researchers, report to security@servinix.com

Report a vulnerability

Security researcher or customer who spotted something? Email security@servinix.com — we respond within 4 business hours. In-scope reports receive acknowledgment and, with your permission, credit in our security advisories.

FAQ

Security questions buyers ask

Is Servinix SOC 2 certified?+

SOC 2 Type II audit is scheduled for Q3 2026 — we're not certified yet. We're transparent about this because every other field service SaaS that claims 'SOC 2 compliant' without a current certificate is either misleading or referring to Type I (a point-in-time attestation, not ongoing). We follow the SOC 2 control framework now and will publish our Type II report when the audit completes. Enterprise prospects can get our interim security whitepaper under NDA.

How is my data separated from other customers' data?+

Every database row (in PostgreSQL) and every event (in ClickHouse for GPS data) carries a company_id that identifies which customer owns it. PostgreSQL row-level security (RLS) enforces that queries can only return rows matching the authenticated user's company_id — the database refuses otherwise. This prevents an SQL injection or misconfigured query from leaking cross-tenant data. We audit RLS enforcement as part of every penetration test.

Does Servinix use any of my data to train AI models?+

No. Customer conversation data, job notes, and photos are never used to train general-purpose AI models. The Claude models we use for call handling and SMS responses are hosted by Anthropic with zero-retention policies — Anthropic does not store or train on data sent through the API.

What if there's a security incident?+

We notify affected customers within 72 hours of confirmed incident, regardless of severity (GDPR-aligned timeline). Our runbook covers containment, assessment, notification, and remediation. Customers can report suspected incidents via security@servinix.com at any time — we respond within 4 business hours.

Can I bring my own IdP / SSO?+

SAML 2.0 SSO for Owner and Dispatcher roles is on the roadmap for Q3 2026 alongside SOC 2. Technicians will continue to use standard email + password login because SSO integration on phones in the field is often more friction than security benefit. Contact sales@servinix.com if SSO is a requirement for your operation.

Where is my data hosted?+

US regions only — Google Cloud Platform us-central1 (primary) and us-east4 (read replica). We don't currently offer EU data residency, though it's on the roadmap. If EU residency is a hard requirement for your operation, talk to us before signing up.

How can I report a security vulnerability?+

Email security@servinix.com with a description, reproduction steps, and any relevant artifacts. We respond within 4 business hours for in-scope reports. We don't currently run a public bug bounty but we acknowledge and credit responsible disclosure on our /security page.

Get started today

Need the security whitepaper?

Enterprise prospects can request our interim SOC 2 control mapping under NDA.

No contracts  ·  Setup in one day  ·  Cancel anytime