Security

Built like real software. From day one.

We're a small team but our architecture isn't. The same patterns big SaaS uses to keep customer data isolated and auditable are wired into Deskwise before the first paying customer.

Encryption everywhere

TLS 1.2+ in transit. AES-256 at rest via Postgres. Stripe handles all card data; we never see PAN.

Tenant isolation

Every domain row is scoped to your salon. Postgres row-level security policies re-check tenant context on every read and write.

Webhook signatures

Every inbound webhook (Stripe, Twilio, VAPI, Clerk) verifies signature before any side effect runs.

Secrets handling

API keys live in environment variables, never in the codebase. Production secrets rotate quarterly.

Audit log

Every write to a tenant-scoped table records actor, timestamp, before/after state. Owners see their own audit log.

Soft deletes

Deletion adds a deleted_at marker — rows are recoverable for 30 days, then purged.

Compliance roadmap

SOC 2 Type I
Engaged auditor — Q3 2026 target
in progress
SOC 2 Type II
Six months after Type I
next
GDPR / CCPA data subject requests
Export + delete endpoints in product
in progress
HIPAA tier (BAA-eligible vendors)
Triggered when first healthcare customer needs it
exploring

Reporting issues

Found a vulnerability? Email contact@vellor-systems.com. We acknowledge within 24 hours and patch critical issues within 72.