How we protect your business and customer data
If someone directed you to the browser console (Developer Tools) and asked you to paste code, STOP immediately. This is a common attack called Self-XSS (Cross-Site Scripting).
Remember: Sergio employees will never ask you to paste code into the console. If you encounter this, report it to [email protected].
Social engineering is when attackers manipulate people into giving up confidential information or taking actions that compromise security. These attacks target you, not our systems.
Attackers convince you to paste malicious code into the browser console, promising "free features" or "account hacks." This code steals your session.
Fake emails or websites that look like Sergio, asking for your password. Always check the URL - we're only at sergio.app.
Someone pretending to be from "Sergio Support" asking for your credentials. We will never ask for your password.
Offers that seem too good to be true - "free premium features" or "unlimited storage." These typically require compromising your account.
Sergio is a multi-tenant platform - multiple businesses share the same infrastructure. But your data is completely isolated from other companies through multiple security layers.
Every database query is automatically filtered by your company ID at the database level. This isn't application code that could have bugs - it's enforced by PostgreSQL itself.
-- Example RLS policy on jobs table
CREATE POLICY "Users can only see their company's jobs"
ON jobs FOR SELECT
USING (company_id = auth.jwt() ->> 'company_id');Even if an attacker gained access to the database, they could only see their own company's data.
Each company operates on their own subdomain (e.g., yourcompany.sergio.app). This provides browser-level cookie isolation and makes phishing attempts more obvious.
Authentication tokens are cryptographically bound to your company ID. A token from one company cannot access another company's resources - the signature verification will fail.
Access is restricted based on your role within the organization:
Full access to all features, billing, and team management
Manage jobs, customers, and team schedules
View and complete assigned jobs only
All connections use TLS 1.3 encryption. HSTS headers force HTTPS on all requests. Certificate pinning is enforced on mobile apps.
Database storage is encrypted with AES-256. Backups are encrypted and stored in geographically separate locations.
We never store credit card numbers. Payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. We only store transaction IDs for reference.
Found a vulnerability? We appreciate responsible disclosure. Contact our security team directly.
[email protected]