SepticSync
Trust & Security

Security at SepticSync

Last updated: June 15, 2026

SepticSync handles compliance records, customer contact information, and integrated financial data on behalf of municipalities and septic service providers. We take protecting that data seriously and run the platform with the principles below.

Data protection

  • Encryption in transit. All traffic to and from SepticSync is served exclusively over TLS 1.3.
  • Encryption at rest. Customer data is stored in Supabase Postgres (AWS-hosted) with AES-256 encryption at rest.
  • Tenant isolation. Postgres row-level security policies scope every table read and write to the authenticated organization. There is no shared multi-tenant view: an organization cannot see another organization's parcels, customers, jobs, or integrations.
  • Secrets management. Third-party API keys (Anthropic, Stripe, Intuit, Resend, Supabase service role) are stored only as Vercel environment variables and never shipped to the browser bundle or written to logs.
  • Backups. Postgres point-in-time recovery is enabled at the database layer with a 7-day window. File storage (drawings, scanned forms, photos) is replicated across multiple availability zones.

Application security

  • Authentication. User sign-in uses Supabase Auth with email magic links. Session tokens are HttpOnly, Secure, SameSite cookies.
  • Authorization. Every server route validates the caller's organization membership before reading or mutating data. Public endpoints (form-signing tokens, lead capture) use one-time, scoped tokens with explicit expiry.
  • Webhook integrity. Incoming webhooks from QuickBooks Online are verified with HMAC-SHA256 against the verifier token configured in our Intuit Developer dashboard, using constant-time comparison.
  • OAuth tokens. Customer QuickBooks refresh tokens are stored encrypted and refreshed only when access tokens expire. Disconnecting an integration immediately invalidates the tokens both in our database and at Intuit.
  • Dependencies. Production dependencies are managed in a single lockfile, kept current, and reviewed when security advisories are published.
  • Audit logging. All data-changing API requests are logged with the actor, organization, and request id for forensic investigation if needed.

Customer data we do not retain

SepticSync does not collect or store payment card numbers, Social Security numbers, or government ID numbers. Stripe handles all payment card data in their own PCI-compliant environment; we receive only customer ids, payment metadata, and subscription state.

AI processing

When customers use the Smart Migration wizard or the site-sketch recreation tool, the imported files (folder contents, PDFs, photos) are sent server-side to Anthropic's Claude API for structured extraction. We do not send QuickBooks data, payment data, or data belonging to a different organization to the LLM, and Anthropic does not train models on this data per their commercial terms.

Incident response

If we discover or are notified of a security incident affecting customer data, we will:

  1. Triage the scope and impact within 24 hours.
  2. Contain the incident and rotate affected credentials.
  3. Notify affected customers without undue delay and, in any event, within the time required by applicable law (e.g. New York SHIELD Act, applicable state breach notification statutes).
  4. Cooperate with the affected municipality or organization on any FOIL/disclosure obligations they may have.
  5. Publish a post-incident summary describing root cause and remediation.

Reporting a vulnerability

If you believe you've discovered a security vulnerability in SepticSync, please email sean@gardencreative.agency with the subject line "Security report". Please include:

  • A description of the issue and its impact.
  • Steps to reproduce or proof-of-concept code.
  • Your name and any preferred attribution (or a request to remain anonymous).

We commit to acknowledging your report within two business days and keeping you updated as we investigate. We will not pursue legal action against researchers who report vulnerabilities in good faith and give us reasonable time to remediate before public disclosure.

Compliance posture

SepticSync is operated by Garden Creative Agency (Rhinebeck, NY). We align our practices with SOC 2 Type II controls. We have not yet completed a formal SOC 2 attestation; we will publish the report here when available.

Contact

  • Security reports: sean@gardencreative.agency
  • General inquiries: Contact page
  • Mail: SepticSync, Attn: Security, 15 Mill Street, Rhinebeck, NY 12572