ConnectWyze

Security

How we protect your data

Last reviewed: May 9, 2026

This page summarises the controls we have in place today. Specific certifications (SOC 2, ISO 27001) are on the roadmap but not yet completed; we say so plainly rather than implying otherwise. For the legal terms governing your data, see the Privacy Policy.

Encryption

  • In transit: all traffic uses TLS 1.2+ via Cloudflare in front of the application servers. HSTS is enabled on the apex domain.
  • At rest: the primary PostgreSQL database runs on encrypted volumes. Workspace storage credentials (R2, S3, GCS, Firebase) are encrypted with AES-256-GCM using a server-side key that never leaves the application environment. Slack OAuth bot tokens are encrypted the same way.
  • Passwords: hashed with bcrypt (cost factor 12). OAuth-only accounts have no password and cannot be signed in to via the password form.
  • API keys and Stripe secrets: stored only as environment variables on the application server, never in the database or repository.

Authentication and access

  • Email + password with email verification on signup.
  • Sign in with Google via OAuth. We never see your Google password. New OAuth accounts are auto-created; attempts to take over an unverified password account by signing in with Google reset the unverified password — see the Privacy Policy for details.
  • Role-based access at the workspace level: Workspace Admin, Support Agent, User. Cross-workspace access requires explicit membership.
  • Session management: NextAuth-issued JWT sessions with HTTP-only, secure cookies and CSRF protection on state-changing requests.
  • Password reset tokens are single-use, 32-byte random hex, and expire after 1 hour. Email verification tokens follow the same pattern with a 24-hour expiry.

Application hardening

  • Rate limiting on authentication endpoints (signup, login, password reset, email verification), workspace setup endpoint, and the public real-time generation API. Per-API-key minute and monthly caps are configurable.
  • Multi-tenant isolation: every query that returns workspace data is scoped to the requester's workspace at the application layer, with route-level permission checks. Storage paths include the workspace ID so cross-tenant URL guessing fails.
  • Input validation with Zod on every state-changing route; Prisma's parameterised queries prevent SQL injection at the data-access layer.
  • Output safety: React's default escaping is in effect; we don't use dangerouslySetInnerHTML anywhere user-controlled content reaches it.
  • SSRF protection on connection-test endpoints (storage credentials, feed URLs) — outbound fetches from those endpoints are constrained to the provider domains they target.
  • Webhook signing: Stripe webhooks are verified against the signing secret; render-callback webhooks from the worker include their own shared secret check.

Hosting and sub-processors

  • Application servers and primary database run on Hetzner Cloud (Germany), an EU provider.
  • CDN and edge: Cloudflare.
  • Generated assets and uploads: stored in the provider you configure for your workspace — Cloudflare R2, AWS S3, Google Cloud Storage, or Firebase Storage. You may bring your own credentials.
  • Payments: Stripe. Card numbers never touch our servers — Checkout and the Customer Portal are hosted by Stripe.
  • Authentication: Google OAuth (optional).
  • Email: Resend.
  • Error monitoring: Sentry (PII scrubbed where feasible; full request bodies are not logged).
  • Operational notifications: Slack (only if you connect a workspace).

The Privacy Policy lists all sub-processors and the legal bases for processing.

Backups, retention, and recovery

  • Database backups are taken daily and before any schema migration. The most recent 10 backups are retained.
  • Workspace deletion: when a workspace is deleted, content is removed within 30 days. Backups taken before deletion are rotated out within 30 days.
  • Billing records may be retained up to 7 years where required by tax and accounting law.

Your account and data rights

  • Account export: the data we hold tied to your individual account is downloadable as JSON from this endpoint. Workspace content exports are available from workspace settings.
  • Account deletion: email [email protected] from the address tied to your account. We confirm and process within 30 days.
  • Sessions: sign out from anywhere by changing your password — that invalidates existing sessions.

Reporting a vulnerability

If you believe you have found a security vulnerability, please report it privately to [email protected]. Please include:

  • a description of the issue and the impact you've assessed,
  • steps to reproduce (proof-of-concept where applicable),
  • the affected endpoint, page, or component.

We do not currently run a paid bug-bounty programme, but we respond to every report and credit researchers who would like to be acknowledged. Please do not publicly disclose an issue before we've had a reasonable chance to fix it (typically 90 days from acknowledgement).

What we are not (yet)

We don't claim certifications we don't hold. Today we are not SOC 2 Type II, ISO 27001, or HIPAA compliant. SOC 2 is on our roadmap; we will update this page when audits are in flight. If your procurement team needs specific attestations sooner, contact us about an enterprise arrangement.

Contact

Questions about this page or about ConnectWyze's security posture? [email protected]