Security at FieldWise HQ

How we protect your business data — infrastructure, encryption, access controls, backups, and responsible vulnerability disclosure.

  Last updated May 4, 2026

1. Our Approach

FieldWise HQ is entrusted with business-critical data — customer lists, financial records, technician locations, and payment information. We take that responsibility seriously. Our security program is grounded in industry-standard practices, layered defense, and a preference for simple, auditable architecture over complex configurations that invite error.

This page summarizes the controls we have in place today. It is not a substitute for a formal security questionnaire; Enterprise customers can request one by contacting us.

2. Infrastructure

  • Services run on professionally managed Linux servers in commercial data centers with 24×7 physical security, redundant power, cooling, and network connectivity.
  • Operating systems and packages are maintained with regular security patches.
  • Firewalls restrict network access at the host level; only necessary ports are exposed.
  • Database servers are not directly reachable from the public internet.

3. Encryption

  • In transit: All traffic between browsers, the mobile app, and our servers is encrypted with TLS 1.2 or higher. HTTP requests are redirected to HTTPS. Certificates are issued by a trusted public CA and renewed automatically.
  • At rest: Production databases and backups reside on encrypted storage volumes.
  • Passwords: Passwords are stored only as one-way cryptographic hashes using industry-standard algorithms. Plaintext passwords are never written to disk, logs, or backups.
  • Payment data: Payment card numbers are never stored on FieldWise HQ servers. All card processing is handled by our PCI-DSS certified payment processor (Stripe), and we store only non-sensitive identifiers (e.g., last 4 digits, expiration).

4. Access Controls

  • Principle of least privilege. Employees and contractors receive only the access needed for their role.
  • Role-based permissions. Within the product, every employee of a customer company has a granular permission set (currently 260+ individual permissions) controlling what they can see and do.
  • Administrative access to production systems is restricted to a small number of personnel, authenticated with SSH keys and subject to audit logging.
  • Separation of duties. Development, staging, and production environments are kept distinct.

5. Authentication

  • Users authenticate with email and password. Sessions are issued as signed JSON Web Tokens (JWTs) with expiration.
  • Password reset uses time-limited, single-use tokens delivered by email.
  • Repeated failed login attempts trigger rate-limiting.
  • On the roadmap: multi-factor authentication (MFA) for administrator accounts, Q3 2026.

6. Multi-Tenancy

FieldWise HQ is a multi-tenant platform. Every data record is scoped to a company_id, and every API route and database query enforces that boundary. Customer data is logically isolated; one company's users cannot access another company's data by design.

Subdomain-based tenancy (e.g., acme.fieldwisehq.com) provides an additional layer of clarity and user experience isolation.

7. Backups & Disaster Recovery

  • Full database backups run nightly and are replicated off-site to a separate cloud provider.
  • Backups are encrypted and retained on a rolling 30-day schedule.
  • Point-in-time recovery is possible within the retention window.
  • Our disaster-recovery playbook is documented and tested periodically.

8. Monitoring & Incident Response

  • Application errors, request latency, and availability are continuously monitored.
  • Audit logs capture security-relevant actions (login, permission changes, administrative operations).
  • We have a documented incident-response plan. In the event of a security incident affecting customer data, we will notify affected customers and, where required, regulatory authorities without undue delay.

9. Compliance

  • Payment processing: handled by Stripe, which maintains PCI-DSS Level 1 certification. FieldWise HQ operates under the reduced PCI scope for SaaS providers that do not store card numbers.
  • Privacy: we align with GDPR and CCPA principles for the personal information we handle. See our GDPR page and Privacy Policy.
  • SOC 2 and formal third-party audits: on our long-term roadmap as we scale into larger enterprise accounts.

Enterprise customers requiring a Data Processing Agreement (DPA), a security questionnaire response, or a custom data protection addendum should contact us directly.

10. Responsible Vulnerability Disclosure

We welcome reports from security researchers and encourage coordinated disclosure.

  • Please do not access, modify, or exfiltrate data that is not your own during testing.
  • Please do not run automated scans, brute-force attacks, or DoS testing against production systems.
  • Report findings privately to the contact below, including a clear proof-of-concept and your contact information.
  • We will acknowledge within 2 business days and provide a remediation timeline.
  • We do not currently operate a paid bug bounty, but we will credit researchers (with permission) on a public acknowledgments page.

11. Contact

Security inquiries & vulnerability reports

Please include "Security" in your subject line. We respond within 2 business days.