EverittOS | Field Operations Platform

Security

EverittOS is built for field service teams that handle customer data, job photos, and billing. This page describes how we protect accounts and organization data.

Authentication

Accounts use Supabase Auth with email and password. Sessions are stored in secure HTTP-only cookies. After 30 minutes of inactivity, users are signed out automatically. A warning appears 5 minutes before logout. Mouse movement, keyboard input, touch, and navigation reset the timer.

Password reset and email verification links expire per Supabase settings. Disabled accounts cannot access the app or authenticated APIs.

Data storage

Application data (profiles, organizations, jobs, customers, photos, reports) is stored in Supabase Postgres. Job photos and organization logos are stored in private Supabase Storage buckets. Data is scoped to your organization through row-level security policies.

Stripe handles payment card data. EverittOS stores subscription status and Stripe customer IDs on the workspace owner profile, not full card numbers.

Access controls

Each user belongs to an organization with a role (owner, admin, manager, employee, contractor, client, or viewer). Permissions control which pages and actions are available. API access (Growth and Enterprise plans) uses scoped API keys stored as hashes.

Client and contractor portals show only jobs and data explicitly shared with that account. Managers grant and revoke client access per job.

Encryption

Traffic to EverittOS uses HTTPS (TLS). Supabase encrypts data at rest on their platform. Session cookies are marked secure in production. Photo URLs use time-limited signed links.

Backups

Database backups and point-in-time recovery are managed by Supabase according to your Supabase project plan. Export customer or job data on request by contacting support@everittventures.com.

Application protections

Security headers including Content-Security-Policy on all pages
Rate limits on login, signup, password reset, and sensitive API routes
Image upload restrictions (type, size, and filename sanitization)
Input validation on authentication and account routes
Production API responses omit internal stack traces and diagnostics

See also our Privacy Policy and Terms of Service.

These policies are provided for early-stage operations and are not attorney-reviewed. Consult qualified legal counsel before a public launch. Questions: support@everittventures.com