Security

At HeavyBase, we take the security of your data seriously. Your shop data, customer records, and financial information are critical to your business, and we implement multiple layers of protection to keep them safe.

Infrastructure Security

Data Isolation

• Row-Level Security (RLS): Every database query is filtered by shop ID at the database level. Shops can only access their own data — it is impossible for one shop to read another shop's customers, work orders, or invoices.
• Multi-Tenant Architecture: All shops share the same infrastructure but their data is logically isolated through enforced security policies.
• Service Role Separation: Client-side queries are restricted by RLS policies. Administrative operations use a separate service role with audit logging.

Authentication & Access Control

• Secure Authentication: User authentication is handled through Supabase Auth with support for email/password and Google OAuth. Passwords are hashed using bcrypt and never stored in plaintext.
• Token-Based Sessions: Sessions use JWT tokens with automatic expiration and refresh. No sensitive data is stored in cookies.
• Role-Based Access Control: Four permission levels (Owner, Manager, Service Writer, Technician) restrict access to features and data based on each user's role.
• Device Mode & PIN Authentication: Shop floor tablets operate in a locked kiosk mode. Staff use 4-digit PINs to access only their assigned portal. PINs timeout after 15 minutes of inactivity.
• Device Lock Security: Registered devices cannot access the dashboard, settings, or admin features. Only an owner or manager can unlock a device from kiosk mode.

Payment Security

• PCI-DSS Compliance: All payment processing is handled by Stripe, a PCI Level 1 certified payment processor. HeavyBase never sees, stores, or processes credit card numbers.
• Stripe Connect: Shop owners connect their own Stripe accounts. Funds are transferred directly to the shop's bank account — HeavyBase never holds customer payment funds.
• Tokenized Payment Links: Customer payment links use secure random tokens (not predictable IDs) and expire after 72 hours.

Communication Security

• SMS via Telnyx: Text messages are sent through Telnyx's enterprise messaging platform, which maintains SOC 2 Type II compliance.
• Customer Authorization: Work authorization pages use unique, non-guessable tokens. Customers review and digitally sign estimates through secure, encrypted connections.
• No Sensitive Data in SMS: Payment links sent via SMS contain tokenized URLs — no financial data is included in the message body.

Security Practices

• Dependency Management: We regularly update dependencies and monitor for known vulnerabilities.
• Environment Variable Protection: API keys, database credentials, and service tokens are stored as encrypted environment variables, never committed to source code.
• Input Validation: All user input is validated and sanitized to prevent injection attacks (SQL injection, XSS, etc.).
• Error Handling: Internal error details are never exposed to end users. Error responses contain generic messages while detailed logs are stored securely for debugging.

Reporting Security Issues

If you discover a security vulnerability in HeavyBase, please report it to us responsibly. Contact us at support@shopbasehq.com with the subject line "Security Vulnerability Report." We will acknowledge receipt within 48 hours and work to address the issue promptly.

Please do not publicly disclose security vulnerabilities until we have had an opportunity to investigate and address them.