Security at Sergio

How we protect your business and customer data

Infrastructure Compliance

Sergio is built on industry-certified infrastructure. Our providers maintain the following certifications:

Supabase

Database, Authentication, Storage

SOC 2 Type II · HIPAA

Canada (ca-central-1)

Cloudflare

CDN, WAF, DDoS Protection, Edge Compute

SOC 2 Type II · ISO 27001 · PCI DSS

Stripe

Payment Processing

PCI DSS Level 1

These certifications cover the infrastructure layer. Sergio implements additional application-layer security controls described below.

Data Residency & Sovereignty

Your core business data — customers, jobs, invoices, schedules — is stored in Canada.

Primary Data Storage

AWS ca-central-1 (Montreal, Canada)

Database, authentication, and file storage are hosted in Canadian data centers via Supabase.

Compute & Delivery

Some processing occurs in the United States through sub-processors (payment processing, AI inference, email delivery). All data remains within North America.

Geographic Enforcement

Sergio is available exclusively to businesses operating in North America (United States and Canada). Geographic restrictions are enforced at signup.

Compliant with PIPEDA and provincial privacy legislation (Alberta PIPA, BC PIPA, Quebec Law 25)

Multi-Tenant Data Isolation

Sergio is a multi-tenant platform - multiple businesses share the same infrastructure. But your data is completely isolated from other companies through multiple security layers.

Row-Level Security (RLS)

Every database query is automatically filtered by your company ID at the database level. This isn't application code that could have bugs - it's enforced by PostgreSQL itself.

-- Example RLS policy on jobs table CREATE POLICY "Users can only see their company's jobs" ON jobs FOR SELECT USING (company_id = auth.jwt() ->> 'company_id');

Even if an attacker gained access to the database, they could only see their own company's data.

Subdomain Isolation

Each company operates on their own subdomain (e.g., yourcompany.sergio.app). This provides browser-level cookie isolation and makes phishing attempts more obvious.

JWT Token Binding

Authentication tokens are cryptographically bound to your company ID. A token from one company cannot access another company's resources - the signature verification will fail.

Authentication & Access Control

Password Security

  • Passwords hashed with bcrypt (work factor 12)
  • Minimum 8 characters required
  • Checked against known breached password lists
  • We never store or log plaintext passwords

Session Security

  • Sessions expire after 7 days of inactivity
  • Tokens automatically refresh without user action
  • Ability to remotely terminate all sessions
  • Login attempts are rate-limited

Role-Based Access Control

Access is restricted based on your role within the organization:

Admin

Full access to all features, billing, and team management

Manager

Manage jobs, customers, and team schedules

Technician

View and complete assigned jobs only

Encryption & Data Protection

In Transit

All connections use TLS 1.3 encryption. HSTS headers force HTTPS on all requests. Certificate pinning is enforced on mobile apps.

At Rest

Database storage is encrypted with AES-256. Backups are encrypted and stored in geographically separate locations.

Payment Data

We never store credit card numbers. Payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. We only store transaction IDs for reference.

Infrastructure Security

Hosting

  • - Database hosted on Supabase (Canadian data centers)
  • - Edge functions on Cloudflare Workers (global)
  • - Static assets on Cloudflare CDN
  • - SOC 2 Type II certified infrastructure

Protection

  • - DDoS protection via Cloudflare
  • - Web Application Firewall (WAF) via Cloudflare
  • - Automated security scanning
  • - 24/7 monitoring and alerting

Backup & Disaster Recovery

Your data is continuously protected with multiple layers of redundancy.

Backup Strategy

  • Continuous replication via Write-Ahead Logging (WAL)
  • Automated daily snapshots
  • 7-day Point-in-Time Recovery (PITR) window
  • Backups encrypted and stored in geographically separate locations

Recovery Objectives

  • Recovery Time Objective (RTO): < 4 hours
  • Recovery Point Objective (RPO): < 1 hour
  • Multi-AZ deployment within AWS Canada region

Incident Response

We maintain a documented breach response plan aligned with PIPEDA and Quebec Law 25.

Notification Timeline

  • 72-hour notification target for affected customers
  • Compliant with PIPEDA "as soon as feasible" standard
  • Compliant with Quebec Law 25 "with diligence" requirement
  • Privacy Commissioner of Canada and CAI (Quebec) notified when required

Severity Classification

  • HHigh: Database access, mass PII exposure — response within 1 hour
  • MMedium: Multiple account compromise, limited PII — response within 4 hours
  • LLow: Single account incident, no PII — response within 24 hours

Backed by cyber insurance coverage (E&O + Cyber) through Tokio Marine Canada

Data Retention & Deletion

We retain data only as long as needed and delete it when you ask.

Account Deletion

  • Data deleted within 30 days of account termination
  • Soft delete with audit trail; hard delete available upon request
  • Removed from backups within 90 days via PITR rotation
  • Request deletion via [email protected]

Retention Schedule

GPS location data: 24 hours (auto-deleted)
Rate limit logs: 30 days
Session replay recordings: 30 days
Edge function logs: 30 days
Email delivery logs: 90 days
Authentication logs: 2 years
Financial records (invoices, payments): 6 years
Business account data: active period + 7 years

Secure Development Practices

Security is built into our development process, not bolted on after.

Monthly code reviews and security audits
Automated dependency scanning via Dependabot
Vulnerability patches applied daily
Row-Level Security policies on every database table (600+)
Least-privilege access — no direct database access for end users
Real-time error monitoring and session replay via Sentry

Compliance & Privacy

We operate under Canadian privacy law with additional provincial compliance.

Regulatory Compliance

  • PIPEDA (Federal) — all 10 fair information principles implemented
  • Quebec Law 25 (Bill 64) — enhanced privacy requirements for Quebec residents
  • Alberta PIPA and BC PIPA compliance
  • CCPA/CPRA readiness for US-based customers
  • CASL compliance for electronic communications

Assessments & Documentation

  • Privacy Impact Assessment completed and signed (February 2026)
  • Overall privacy risk assessment: LOW
  • Data Processing Agreements signed with all major sub-processors
  • 30-day advance notice of any sub-processor changes

Privacy Officer: [email protected]

Did someone tell you to open this?

If someone directed you to the browser console (Developer Tools) and asked you to paste code, STOP immediately. This is a common attack called Self-XSS (Cross-Site Scripting).

What attackers want:

  • - Steal your login session and impersonate you
  • - Access your customer data and business information
  • - Make unauthorized changes to your account
  • - Steal payment information or redirect funds

Remember: Sergio employees will never ask you to paste code into the console. If you encounter this, report it to [email protected].

Social Engineering Attacks

Social engineering is when attackers manipulate people into giving up confidential information or taking actions that compromise security. These attacks target you, not our systems.

Self-XSS

Attackers convince you to paste malicious code into the browser console, promising "free features" or "account hacks." This code steals your session.

Phishing

Fake emails or websites that look like Sergio, asking for your password. Always check the URL - we're only at sergio.app.

Pretexting

Someone pretending to be from "Sergio Support" asking for your credentials. We will never ask for your password.

Baiting

Offers that seem too good to be true - "free premium features" or "unlimited storage." These typically require compromising your account.

How to Protect Yourself

  • Never paste code into the browser console unless you wrote it yourself
  • Verify URLs before entering credentials - look for sergio.app
  • Enable two-factor authentication on your account
  • Report suspicious emails to [email protected]

Responsible Disclosure Policy

We appreciate security researchers who help keep Sergio safe. If you discover a vulnerability, we want to hear from you.

In Scope

  • sergio.app and all subdomains
  • API endpoints and edge functions
  • Authentication and authorization flaws
  • Data exposure or tenant isolation bypasses

Out of Scope

  • - Denial of service attacks
  • - Social engineering of employees or customers
  • - Physical security testing
  • - Vulnerabilities in third-party services (report to them directly)

Disclosure Process

  1. Email your findings to [email protected]
  2. We will acknowledge receipt within 48 hours
  3. We will assess and provide an estimated timeline within 5 business days
  4. We will work to resolve confirmed vulnerabilities promptly
  5. With your permission, we will credit you for the discovery

Safe Harbor

We will not pursue legal action against security researchers who act in good faith, make a reasonable effort to avoid privacy violations and data destruction, and give us reasonable time to address issues before public disclosure.

Related Resources

Privacy Policy

How we handle your data

Terms of Service

Platform usage terms

Data Processing Agreement

For B2B customers

Report a Security Issue

Found a vulnerability? We appreciate responsible disclosure. Contact our security team directly.

[email protected]