Security at Roostr
Your customer list, your photos, your invoices: they belong to your business. Here's how we protect them.
Encrypted in transit and at rest
All traffic is served over TLS. Customer data, photos, signatures, and quote history live in a managed PostgreSQL database with encryption at rest. Session cookies are HMAC-signed and DB-row backed. A stolen cookie alone cannot authenticate.
Tenant isolation, enforced in the database
Every business's data is isolated by Postgres row-level security. Application code sets a per-request tenant GUC; queries that try to cross a tenant boundary are physically rejected by the database, not just by application logic.
Modern password storage
Passwords are hashed with Argon2id at OWASP-recommended cost parameters. Old hashes are upgraded transparently on the next sign-in. Google sign-in uses PKCE and verifies Google's email-verified flag before linking accounts.
Payment scope minimization
Card data never touches our servers. Stripe handles every charge, payment method, and Connect onboarding flow. We only store Stripe references. Minimizing PCI scope is built into the architecture.
A2P-10DLC compliant messaging
Outbound SMS runs through registered A2P-10DLC campaigns. Customers can reply STOP at any time and one-click unsubscribe links in marketing email follow RFC 8058. Carrier compliance is treated as a first-class deliverability requirement, not an afterthought.
Active monitoring
Server errors stream to Sentry; product analytics flow through PostHog. Authentication anomalies, privileged-admin actions, and impersonation events are audit-logged before they execute, not after.
Engineering practices
Security guarantees are only as strong as the engineering habits behind them. Here's how we work.
Audit-logged super-admin
Platform support can only act on a tenant's data through an explicit impersonation flow. Every privileged action writes an audit row before it runs, and the impersonation cookie carries a 1-hour TTL with a yellow banner the operator can always see and exit.
Least-privilege background jobs
Background workflows (reminders, ad sync, AI command bar) run through Inngest with tenant-scoped helpers. The same RLS boundary that protects browser sessions also protects async jobs.
Public token routes are explicit capabilities
Booking links, quote links, invoice links, and customer-portal URLs use bearer tokens whose scope is narrowly defined server-side. Possessing a token never grants access beyond the specific record it was minted for.
Webhook signature verification
Stripe, Resend, Twilio, and OAuth callbacks all verify their cryptographic signatures before the payload is allowed to mutate tenant state.
What we're working on
We don't claim certifications we haven't earned. Here's our honest roadmap.
SOC 2 Type I
Audit prep underway. We'll post the report here once it's issued.
GDPR data-processing addendum
Standard DPA available on request. Email security@roostr.app.
Bug bounty program
Public scope and rewards launching alongside SOC 2 attestation.
Found a vulnerability?
We take responsible disclosure seriously. Email security@roostr.app with reproduction steps. Please give us a reasonable window to fix the issue before public disclosure.
Start your free trial