TRADESCRAFT

Security

Last reviewed May 2026

Trades businesses run on this software. We design it so it's hard to break, hard to misuse, and impossible to mix data between customers.

Your data is yours, and only yours

Every business on the platform is fully isolated. Another business cannot read your records, cannot see your customers, cannot see your jobs, cannot see your invoices, cannot see your staff. This is enforced on every request - it's not a UI veneer.

Where your data lives

Your operational data and uploaded files are hosted with a reputable managed database provider in a single fixed region. Encrypted at rest. Encrypted in transit on every connection. Backups are encrypted with separate keys.

How you sign in

We never see or store your password. Sign-in is handled by an industry-standard identity provider that hashes and salts credentials.

Two-factor authentication using any standard authenticator app (Google Authenticator, 1Password, Authy, etc.) is available for every account. Turn it on from Settings → Security.

Audit trail

Every change to every record is recorded in an append-only history that admins can review at any time from Settings → Audit log. Nothing is silently mutated; nothing is silently removed.

Backups and recovery

Daily backups are retained for 30 days. Our disaster recovery targets are a 24-hour recovery point and a 4-hour recovery time.

Your own controls

  • Admins can export the entire business as a single machine-readable file at any time, without contacting us.
  • Anyone can leave the business they're part of, and admins can permanently delete the business and every record it holds. Both flows are self-service at Settings → Security → Your data.
  • Granular per-event notification preferences let people control what they receive at Settings → My Notifications.

What we use third parties for

Card payments are handled by a PCI-DSS compliant payment processor; we never see or store card numbers. Customer-facing SMS and email are delivered through specialist providers under contract. Each provider's privacy and security disclosures apply to their own infrastructure - see our privacy policy for the current list.

Reporting a vulnerability

If you find something, please tell us before telling anyone else. Email security@tradescraft.app with a reproduction. We aim to acknowledge within 48 hours and ship fixes for valid high-severity issues within 7 days. We don't run a paid bug-bounty program yet, but we're happy to credit you publicly if you'd like.

Incident notification

If a security incident is likely to result in serious harm to anyone's personal information, we'll notify affected users and the relevant regulator under the applicable scheme (the Notifiable Data Breaches scheme in Australia, the equivalent obligations under GDPR where it applies, and comparable requirements in New Zealand).