We treat your data like it's our own.
ServicesGrid OS runs the operational nervous system of your business — bookings, payments, members, staff. We've built the platform on the assumption that any of that information could matter to your customers, your finances, or your survival. Here's how we protect it.
Six commitments, six controls.
Not a marketing list — these are the controls we've actually built into the platform. Each one is testable; each one is auditable.
Encryption at rest and in transit
All data is encrypted in transit with TLS 1.2+. At rest, PostgreSQL data is encrypted with AES-256 using managed keys. Payment details processed by supported providers never touch our servers directly — they're tokenised at the browser and held by the payment processor under PCI Level 1 controls.
Strict tenant isolation
Every query is scoped by tenantId at the API middleware layer — there is no admin override. Cross-tenant data access is structurally impossible, not just enforced by convention. We test this in CI: a request with one tenant's session cannot read another tenant's data, period.
API keys hashed, never stored raw
Developer API keys (sk_live_…) are hashed with SHA-256 before storage. The raw key is shown once at creation and never recoverable — even by us. Each key carries scopes you choose; revocation is instant and audited.
Daily backups, point-in-time recovery
PostgreSQL is backed up daily with point-in-time recovery. Retention windows vary by workspace plan and rollout scope. Backups are encrypted and stored in a separate region, and we test restore procedures quarterly — not just on paper.
Logged staff access — including ours
ServicesGrid OS platform staff can never silently access tenant data. Every support session is a logged impersonation event with a written reason, start time, end time, and IP address. You can audit every time anyone from our team looked at your account.
GDPR-ready by default
Data subject access requests, data export, and deletion flows are built into the product — you don't file a ticket. Sub-processors, including payment and communications providers, are listed in your account. We do not sell personal data and never will.
What we're working on next.
SOC 2 Type II
We're in the early stages of a SOC 2 Type II programme. We'll publish the final report on this page once we complete the observation period.
Single Sign-On (SSO)
SAML and OAuth-based SSO for Enterprise tenants — ETA published in the changelog as we get closer. Until then, every account supports email-based two-factor.
Bring your own region
Enterprise customers with data residency requirements (EU only, US only) can request a dedicated regional deployment. We'll quote setup time at the contract stage.
Found a security issue? Tell us.
We take security reports seriously and respond within one business day. Please email security@servicesgridos.com with reproduction steps. We do not pursue good-faith research — please give us reasonable time to fix before disclosing publicly.
Built with security as a default, not a feature.
14-day free trial. No card required. Your data is isolated, encrypted, and yours to export at any time.