C
ConneqtOS

Security

How we protect your data: encryption, isolation, auth, backups, monitoring, and responsible disclosure.

Last updated:

Overview

Security is non-negotiable for a work management platform, you're trusting us with your team's data. Here's how we protect it.

Encryption

  • In transit: All traffic uses TLS 1.2 or higher. HTTP is automatically redirected to HTTPS with HSTS preload.
  • At rest: Database storage is encrypted at the filesystem level by our hosting provider (Railway). File attachments are encrypted in the same Bytes column.

Authentication

  • Passwords hashed with bcrypt cost 12. We never store plaintext passwords.
  • Session tokens are JWTs signed with a secret not shared with any third party.
  • Google OAuth available as an optional sign-in method.
  • API keys hashed with bcrypt, only the first 11 characters (prefix) stored in plaintext for UI identification.
  • API keys scoped per-org with per-key rate limits.
  • Rate limiting on login (5 attempts / 15 min) and registration (5 / min).

Multi-tenant isolation

Every query that reads customer data includes an organizationIdfilter. All admin endpoints verify the requesting user belongs to the target organization. Cross-board and cross-org operations are blocked at the API layer with explicit validation.

Authorization

  • Per-board roles: owner, editor, viewer. Role-based checks on every write endpoint.
  • Platform superadmin bypass is explicit and audit-logged.
  • API key scopes: boards:read/write, items:read/write, updates:read/write, users pick what each key can do.

Audit logging

Security-relevant actions are logged to an audit table: signup, login, password changes, data exports, plan changes, subscription cancellations, and account deletion requests. Logs retained 2 years.

Webhook protection

Our webhook action blocks SSRF by refusing to send to private IP ranges (10.0.0.0/8, 192.168/16, 172.16-31/12, 169.254/16), loopback, IPv6 internal prefixes, AWS/GCP metadata hosts, and any non-HTTP(S) URL. Redirects are not followed. Requests time out after 10 seconds.

Backups & disaster recovery

  • Automated daily database backups via Railway.
  • 30-day retention.
  • Backup restore tested quarterly.
  • Target RPO: 24 hours. Target RTO: 4 hours.

Monitoring & incident response

  • Error monitoring via application logs on Railway.
  • Stripe webhooks validated with signatures; duplicate-proof via event ID.
  • Security incidents: we aim to notify affected customers within 72 hours per GDPR Art. 33.
  • Post-mortems published for any incident affecting multiple customers.

Secure software development

  • Code reviewed before merge to main.
  • Dependencies updated regularly.
  • Static analysis + type checking (TypeScript) in CI.
  • Deployment via tagged releases for traceability.

Data residency

Primary infrastructure is US-East. Daily backups replicated. For EU-specific data residency requirements, contact sales@leadconneqt.com — Enterprise plans can include EU-only hosting.

Compliance

  • GDPR / UK GDPR compliant, see our Privacy Policy + DPA.
  • PCI DSS: we never store card data directly; Stripe (PCI DSS Level 1) handles payments.
  • SOC 2: planned for 2026. Not yet certified.

Responsible disclosure

Found a vulnerability? We'd love to hear from you. Email security@leadconneqt.comwith a clear description, reproduction steps, and impact assessment.

We aim to:

  • Acknowledge your report within 72 hours
  • Provide an initial severity assessment within 7 days
  • Work with you on disclosure timing (typically 90 days)
  • Credit you publicly if you'd like (and the issue warrants)

Please do not: access, modify, or delete other customers' data while testing. Social engineering, physical attacks, and DoS are out of scope.

Questions

Security inquiries: security@leadconneqt.com