What we do with your shop's data.
We're a small team building software for shops that don't have a security officer on staff. The bar we hold ourselves to: encrypt everything, never store cards, give you a one-click export anytime, and tell you the truth about what's done versus what's in progress.
Where we are today.
Encryption at rest and in transit
All shop data is encrypted at rest on Neon Postgres (AES-256) and in transit over TLS 1.3. Database backups inherit the same encryption.
Authentication + MFA
Auth runs on Clerk. MFA is available for every user and required for admin roles. Session lifetimes, IP allow-listing, and audit logs are configurable per shop.
Payments + PCI-DSS
We never store card numbers. Payment processing runs through Rainforest, which operates in a PCI-DSS Level 1 environment. Card-on-file values are tokenized at the processor.
Hosted in the USA
All production data and backups are hosted in US AWS regions via Vercel (web) and Neon (database). No customer data leaves the United States.
Daily backups
Neon maintains continuous point-in-time backup on the production database with 14-day restore window. Weekly snapshot retention is 90 days.
Data export anytime
Every customer, vehicle, job, invoice, and payment record exports as CSV from inside the CRM. Your data is yours. If you cancel, we keep it live for 30 days so you can re-import to another system.
SOC 2 Type II
We follow SOC 2 controls today (audited access, MFA, encryption, change management). Formal SOC 2 Type II audit is targeted for late 2026. We can share a current Trust Center summary on request.
Incident response
Documented runbooks for security incidents, customer notification policy targeted at 72 hours, and a status page for live availability are being formalized through summer 2026.
Who we trust with what.
We don't build identity, payments, or database security from scratch. We work with category leaders so you get their engineering and audits, not just ours.
Clerk (authentication)
SOC 2 Type II, ISO 27001. Powers login, MFA, session management, and admin role enforcement.
Rainforest (payments)
PCI-DSS Level 1. Handles card tokenization, processing, settlement, and dispute response. We never touch card numbers.
Neon (database)
SOC 2 Type II, ISO 27001. AES-256 encrypted Postgres with point-in-time backups. US regions only.
We answer them.
Security questionnaires from fleet customers, audit requests from insurance carriers, and one-off questions about how we store a specific data type - email trust@mobileservicesync.com and you'll get a response from a human inside one business day.