How We Protect Your Data
Your financial records, job costs, invoices, and client information are among the most sensitive data you manage. We take that seriously. This page describes the technical and organizational controls we maintain to protect it.
If you are a security researcher and have found a potential vulnerability, see the Responsible Disclosure section at the bottom of this page.
Encryption
In transit. Every connection between your browser and our servers is encrypted using TLS 1.2 or TLS 1.3. We enforce HTTPS across all domains and subdomains. HTTP connections are automatically redirected to HTTPS. We use HSTS (HTTP Strict Transport Security) with a minimum max-age of one year to prevent downgrade attacks.
At rest. All data stored in our databases and file storage systems is encrypted at rest using AES-256. Encryption keys are managed through AWS Key Management Service (KMS) and rotated on a defined schedule. Database backups are encrypted with the same standard before being written to storage.
In transit between services. Internal service-to-service communication within our infrastructure is encrypted and authenticated. We do not transmit sensitive data over unencrypted channels, including internal networks.
Infrastructure and Hosting
Contractor’s Ledger is hosted on Amazon Web Services (AWS) in the United States. We leverage AWS’s physical and environmental security controls, which are certified under SOC 1, SOC 2, ISO 27001, and PCI DSS.
Our production infrastructure is configured according to the principle of least privilege. Network access is restricted through security groups and VPC configurations that limit exposure to only what is required for each service to function. No database or internal service is directly accessible from the public internet.
We operate across multiple AWS Availability Zones to ensure resilience. In the event of a single infrastructure failure, workloads automatically failover to a healthy zone.
Authentication and Access Control
Multi-factor authentication (MFA). We strongly recommend enabling MFA on your account and provide support for authenticator apps (TOTP) and email-based verification codes. Accounts with MFA enabled are significantly more resistant to credential-based attacks.
Password security. Passwords are never stored in plain text. We use bcrypt with a high work factor to hash passwords before storage. We enforce a minimum password length and check new passwords against databases of known-compromised credentials.
Session management. User sessions are protected by secure, HttpOnly, and SameSite cookies. Sessions expire after a period of inactivity and can be revoked from your account settings at any time. A list of active sessions is visible in your account dashboard.
Role-based access control (RBAC). Subscriptions that include multiple team members support role-based permissions. Administrators can control which team members have access to billing, reporting, client records, and administrative settings.
Internal access controls. Access to production systems and customer data by Contractor’s Ledger employees is restricted to a small number of authorized personnel on a need-to-know basis. All production access requires MFA and is logged. Access is reviewed quarterly. Access is revoked immediately upon role change or departure.
Payment Security
We do not store, process, or transmit raw credit card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment service provider — the highest level of certification available in the payments industry.
When you enter card details, they are transmitted directly to Stripe via Stripe.js without passing through our servers. We store only a tokenized reference to your payment method.
Details of Stripe’s security posture are available at stripe.com/docs/security.
Data Backups and Recovery
Production databases are backed up continuously using point-in-time recovery (PITR). Full snapshots are taken daily and retained for 35 days. Weekly snapshots are retained for 12 weeks.
Backups are stored in a separate AWS region from production systems. Restore procedures are tested quarterly to verify that backups are complete and recoverable within our target recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 1 hour.
Monitoring and Threat Detection
We maintain continuous monitoring of our infrastructure and application layer:
- Application logging — all authentication events, permission changes, data exports, and administrative actions are logged and retained for 90 days
- Anomaly detection — we monitor for unusual access patterns, including logins from new locations or devices, high-volume data exports, and repeated failed authentication attempts
- Infrastructure monitoring — we use automated alerting for CPU, memory, disk, and network anomalies
- Dependency scanning — we automatically scan our application dependencies for known vulnerabilities using Dependabot and Snyk
- Static analysis — all code changes undergo automated static analysis security testing (SAST) before deployment
Penetration Testing and Security Reviews
We engage independent third-party security firms to conduct penetration tests of our application and infrastructure at least once per year. Findings are triaged by severity and remediated according to defined timelines:
| Severity | Remediation Target |
|---|---|
| Critical | 24 hours |
| High | 7 days |
| Medium | 30 days |
| Low | 90 days |
We also conduct internal security reviews of significant new features before they are released to production.
Employee Security
- All employees and contractors with access to customer data complete security awareness training during onboarding and annually thereafter.
- Background checks are conducted for roles with access to production systems or customer data, subject to applicable law.
- All personnel with access to sensitive systems are bound by confidentiality agreements.
- We enforce a clean desk policy and full-disk encryption on all company-issued devices.
Incident Response
We maintain a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. Key commitments:
- Confirmed security incidents are escalated to our response team within 1 hour of detection.
- If a breach results in unauthorized access to your personal data, we will notify you by email within 72 hours of determining that your data was affected, consistent with applicable data breach notification laws.
- Incident notifications will include: what happened, what data was involved, steps we have taken, and steps you can take to protect yourself.
- Post-incident reports are shared with affected customers upon request.
Our status page at status.contractorsledger.com is updated during any security incident with real-time information.
Subprocessor Security
We evaluate the security posture of all third-party subprocessors before engaging them and on an ongoing basis. Key subprocessors are listed in our Privacy Policy. We require subprocessors to maintain security standards consistent with industry best practices and to notify us promptly of any incidents involving our data.
Your Role in Security
Security is a shared responsibility. We protect the infrastructure; you protect your account. We recommend:
- Enable MFA on your Contractor’s Ledger account
- Use a strong, unique password not shared with other services
- Review active sessions periodically and revoke any you don’t recognize
- Restrict team member permissions to the minimum necessary for their role
- Be alert to phishing emails — we will never ask for your password via email or phone
- Export your data regularly as an additional backup
Responsible Disclosure
If you believe you have discovered a security vulnerability in the Contractor’s Ledger platform, please report it to us privately before disclosing it publicly. We ask that you:
- Email your findings to [email protected] with a detailed description of the issue
- Include steps to reproduce, potential impact, and any supporting evidence
- Allow us a reasonable period (typically 90 days) to investigate and remediate before public disclosure
- Avoid accessing, modifying, or deleting data that does not belong to you during your research
We commit to:
- Acknowledging your report within 2 business days
- Keeping you informed of our investigation progress
- Not pursuing legal action against researchers acting in good faith within these guidelines
We do not currently offer a paid bug bounty program, but we genuinely appreciate responsible disclosures and will acknowledge your contribution in our release notes if you wish.
Questions
For security-related questions, contact us at [email protected]. For general inquiries, contact [email protected].