Your business runs on Vexor. We treat that like the responsibility it is.

All traffic to and from Vexor is served over TLS 1.2+. The browser-to-server link is HSTS-pinned for one year on the production domain.

Data at rest is encrypted using AES-256 inside our managed Postgres provider. File storage (photos, JSA PDFs, receipts) is encrypted at the storage layer and served via signed, time-limited URLs.

Every record in Vexor — jobs, quotes, photos, time entries — is partitioned by tenant at the database level using Postgres row-level security.

The application layer does not bypass these rules. A bug in our API cannot leak data across tenants because the database itself refuses the query.

Authentication is handled by Supabase Auth: email/password with bcrypt hashing, optional OAuth, and time-bound JWT sessions stored as httpOnly cookies.

Field employees clock in with a 4-digit PIN scoped to their device — those PINs never grant access to the office admin app.

Every job has a complete activity timeline: every photo upload, log entry, status change, change order, and approval, attributed to the actor and timestamped.

Sensitive actions (billing changes, employee permission changes, public profile toggles) are recorded for at least 12 months.

Vexor publishes a Privacy Policy, a Cookie Policy, and a Notice at Collection (CCPA-compliant).

We do not sell personal information. We never train external AI models on customer data. Users may request export or deletion of their data at any time.

Database backups run daily with 30-day retention and point-in-time recovery for the last 7 days.

Backups are stored in a separate region from the primary database to survive regional incidents.

Vexor is built on Supabase (Postgres + Auth + Storage), Vercel (hosting), Stripe (billing). Each of these is SOC 2 Type II certified.

Our composition lets us inherit each vendor's strong security posture instead of rolling our own crypto, our own auth, or our own payments.

If we discover a security incident that affects you, we will notify you by email within 72 hours of confirmed impact.

Status and ongoing incidents are published at vexorapp.com/status. Report security issues to security@vexorapp.com.